From 42596842a8d6ccb9968ae579e3291989bd163a12 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 20 Feb 2018 10:37:47 +0100 Subject: [PATCH 1/4] add synonym and ref for Emissary Panda (Iron Tiger APT) --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f436f37..510d44d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -412,12 +412,15 @@ "ZipToken", "HIPPOTeam", "APT27", - "Operation Iron Tiger" + "Operation Iron Tiger", + "Iron Tiger APT" ], "country": "CN", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" ] }, "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", From 6147b89c4ad4ce0791584c4df347aba2fa5edd29 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 20 Feb 2018 11:19:55 +0100 Subject: [PATCH 2/4] add ShurL0ckr ransomware --- clusters/ransomware.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d491200..b351ac6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8722,6 +8722,16 @@ "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!" ] } + }, + { + "value": "ShurL0ckr", + "description": "Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" + ], + "date": "Febuary 2018" + } } ], "source": "Various", From 384e26a1b4bb14065d391b701fe1854c41f4fdbb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 20 Feb 2018 15:33:24 +0100 Subject: [PATCH 3/4] create botnet galaxy --- clusters/botnet.json | 22 ++++++++++++++++++++++ clusters/ransomware.json | 15 +++++++++++++++ galaxies/botnet.json | 8 ++++++++ 3 files changed, 45 insertions(+) create mode 100644 clusters/botnet.json create mode 100644 galaxies/botnet.json diff --git a/clusters/botnet.json b/clusters/botnet.json new file mode 100644 index 0000000..ea2db8f --- /dev/null +++ b/clusters/botnet.json @@ -0,0 +1,22 @@ +{ + "values": [ + { + "value": "ADB.miner", + "description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/" + ] + } + } + ], + "name": "Botnet", + "type": "botnet", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "botnet galaxy", + "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", + "version": 1 +} diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b351ac6..8bfe71f 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8732,6 +8732,21 @@ ], "date": "Febuary 2018" } + }, + { + "value": "Cryakl", + "description": "ransomware", + "meta": { + "refs": [ + "https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/", + "https://www.technologynews.tech/cryakl-ransomware-virus", + "http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/" + ], + "date": "January 2018", + "extensions": [ + ".fairytail" + ] + } } ], "source": "Various", diff --git a/galaxies/botnet.json b/galaxies/botnet.json new file mode 100644 index 0000000..81a2334 --- /dev/null +++ b/galaxies/botnet.json @@ -0,0 +1,8 @@ +{ + "description": "Botnet galaxy.", + "type": "botnet", + "version": 1, + "name": "Botnet", + "icon": "sitemap", + "uuid": "90ccdf38-1649-11e8-b8bf-e7326d553087" +} From 0c135fe86a6debafe21a3835c8dbe3d0314c514d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 20 Feb 2018 15:35:10 +0100 Subject: [PATCH 4/4] add botnet galaxy to readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b7f4bcb..3ca43ff 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. +- [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. - [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.