MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 23:07:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

jq ftw

Browse source
This commit is contained in:
Deborah Servili 2018-02-28 16:16:28 +01:00
parent d88a4a44dc
commit b3574f880a
14 changed files with 25062 additions and 25062 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
clusters/android.json
View file

@ -2,7 +2,7 @@
"values": [ "values": [
{ {
"value": "CopyCat", "value": "CopyCat",
"description": "CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote \u2013 a daemon responsible for launching apps in the Android operating system \u2013 that allows the malware to control any activity on the device.", "description": "CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote a daemon responsible for launching apps in the Android operating system that allows the malware to control any activity on the device.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/" "https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/"
@ -57,7 +57,7 @@
}, },
{ {
"value": "DoubleLocker", "value": "DoubleLocker",
"description": "DoubleLocker can change the device\u2019s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.", "description": "DoubleLocker can change the devices PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/"
@ -91,7 +91,7 @@
}, },
{ {
"value": "BankBot", "value": "BankBot",
"description": "The main goal of this malware is to steal banking credentials from the victim\u2019s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.", "description": "The main goal of this malware is to steal banking credentials from the victims device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot", "https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot",
@ -209,7 +209,7 @@
}, },
{ {
"value": "GM Bot", "value": "GM Bot",
"description": "GM Bot \u2013 also known as Acecard, SlemBunk, or Bankosy \u2013 scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.", "description": "GM Bot also known as Acecard, SlemBunk, or Bankosy scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide" "https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide"
@ -224,7 +224,7 @@
}, },
{ {
"value": "Moplus", "value": "Moplus",
"description": "The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user\u2019s device, and this connection is established in the background without the user\u2019s knowledge.", "description": "The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the users device, and this connection is established in the background without the users knowledge.",
"meta": { "meta": {
"refs": [ "refs": [
"http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html" "http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html"

8
clusters/banker.json
View file

@ -91,7 +91,7 @@
], ],
"date": "Beginning 2010" "date": "Beginning 2010"
}, },
"description": "Banking trojan based on Gozi source. Features include web injects for the victims\u2019 browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.", "description": "Banking trojan based on Gozi source. Features include web injects for the victims browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB", "value": "Gozi ISFB",
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369" "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369"
}, },
@ -128,7 +128,7 @@
], ],
"date": "Spring 2016" "date": "Spring 2016"
}, },
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper\u2019s stealth and persistence; the Gozi ISFB parts add the banking Trojan\u2019s capabilities to facilitate fraud via infected Internet browsers.", "description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym", "value": "GozNym",
"uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949" "uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949"
}, },
@ -544,7 +544,7 @@
}, },
{ {
"value": "downAndExec", "value": "downAndExec",
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent \u201cfileless\u201d banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.", "description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/"
@ -554,7 +554,7 @@
}, },
{ {
"value": "Smominru", "value": "Smominru",
"description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner\u2019s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as \u201chash power\u201d. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.", "description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miners use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"

8
clusters/botnet.json
View file

@ -28,7 +28,7 @@
}, },
{ {
"value": "Marina Botnet", "value": "Marina Botnet",
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these \u201chacker tools\u201d could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.", "description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"meta": { "meta": {
"refs": [ "refs": [
"https://en.wikipedia.org/wiki/Botnet" "https://en.wikipedia.org/wiki/Botnet"
@ -252,7 +252,7 @@
}, },
{ {
"value": "Gheg", "value": "Gheg",
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware \u2013 it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server \u2013 they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).", "description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.cert.pl/en/news/single/tofsee-en/" "https://www.cert.pl/en/news/single/tofsee-en/"
@ -301,7 +301,7 @@
}, },
{ {
"value": "Spamthru", "value": "Spamthru",
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine\u2019s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.", "description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machines processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"meta": { "meta": {
"refs": [ "refs": [
"http://www.root777.com/security/analysis-of-spam-thru-botnet/" "http://www.root777.com/security/analysis-of-spam-thru-botnet/"
@ -500,7 +500,7 @@
}, },
{ {
"value": "Mirai", "value": "Mirai",
"description": "Mirai (Japanese for \"the future\", \u672a\u6765) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.", "description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"meta": { "meta": {
"refs": [ "refs": [
"https://en.wikipedia.org/wiki/Mirai_(malware)" "https://en.wikipedia.org/wiki/Mirai_(malware)"

14
clusters/branded_vulnerability.json
View file

@ -32,7 +32,7 @@
"description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.", "description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2014\u20130160" "CVE-20140160"
], ],
"logo": [ "logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png" "https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png"
@ -45,7 +45,7 @@
"description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.", "description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2014\u20136271" "CVE-20146271"
], ],
"logo": [ "logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png", "https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png",
@ -60,7 +60,7 @@
"description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.", "description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2015\u20130235" "CVE-20150235"
], ],
"logo": [ "logo": [
"https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png" "https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png"
@ -70,7 +70,7 @@
}, },
{ {
"value": "Stagefright", "value": "Stagefright",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed\u2014the user doesn\u2019t have to do anything to \u2018accept\u2019 the bug, it happens in the background. The phone number is the only target information.", "description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesnt have to do anything to accept the bug, it happens in the background. The phone number is the only target information.",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2015-1538", "CVE-2015-1538",
@ -115,7 +115,7 @@
}, },
{ {
"value": "POODLE", "value": "POODLE",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo M\u00f6ller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.", "description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2014-3566" "CVE-2014-3566"
@ -125,14 +125,14 @@
}, },
{ {
"value": "BadUSB", "value": "BadUSB",
"description": "The \u2018BadUSB\u2019 vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.", "description": "The BadUSB vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.",
"uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7" "uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7"
}, },
{ {
"value": "ImageTragick", "value": "ImageTragick",
"meta": { "meta": {
"aliases": [ "aliases": [
"CVE-2016\u20133714" "CVE-20163714"
], ],
"logo": [ "logo": [
"https://imagetragick.com/img/logo-medium.png" "https://imagetragick.com/img/logo-medium.png"

2
clusters/exploit-kit.json
View file

@ -40,7 +40,7 @@
}, },
{ {
"value": "DealersChoice", "value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants\u2009\u2014\u2009variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.", "description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.",
"meta": { "meta": {
"refs": [ "refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",

12
clusters/microsoft-activity-group.json
View file

@ -15,7 +15,7 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
] ]
}, },
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional featuresthis shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM", "value": "PROMETHIUM",
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f" "uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f"
}, },
@ -25,7 +25,7 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
] ]
}, },
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM", "value": "NEODYMIUM",
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493" "uuid": "47b5007a-3fb1-466a-9578-629e6e735493"
}, },
@ -60,7 +60,7 @@
"Grey-Cloud" "Grey-Cloud"
] ]
}, },
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims\u2019 computer. ", "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM", "value": "STRONTIUM",
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec" "uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec"
}, },
@ -81,7 +81,7 @@
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a" "uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a"
}, },
{ {
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM", "value": "PLATINUM",
"meta": { "meta": {
"refs": [ "refs": [
@ -97,7 +97,7 @@
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
] ]
}, },
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups\u2014collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groupscollections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implantnotable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM", "value": "BARIUM",
"uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af" "uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af"
}, },
@ -107,7 +107,7 @@
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
] ]
}, },
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD\u2019s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD\u2019s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD\u2019s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD", "value": "LEAD",
"uuid": "f542442e-ba0f-425d-b386-6c10351a468e" "uuid": "f542442e-ba0f-425d-b386-6c10351a468e"
}, },

2
clusters/preventive-measure.json
View file

@ -13,7 +13,7 @@
] ]
}, },
"value": "Backup and Restore Process", "value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schr\u00f6dinger's backup - it is both existent and non-existent until you've tried a restore", "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore",
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
}, },
{ {

284
clusters/ransomware.json
View file

File diff suppressed because it is too large Load diff

46
clusters/rat.json
View file

@ -156,7 +156,7 @@
"https://www.nulled.to/topic/129749-win32hsidir-rat/" "https://www.nulled.to/topic/129749-win32hsidir-rat/"
] ]
}, },
"description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright \u00a9 2006-2010 HS32-Idir.", "description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.",
"value": "Win32.HsIdir", "value": "Win32.HsIdir",
"uuid": "569d539f-f949-4156-8896-108ea8352fbc" "uuid": "569d539f-f949-4156-8896-108ea8352fbc"
}, },
@ -275,7 +275,7 @@
], ],
"date": "2013" "date": "2013"
}, },
"description": "Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker \u201cSlayer616\u201d and has created another RAT known as Schwarze Sonne, or \u201cSS-RAT\u201d for short. Both of these RATs are free and easy to find \u2014 various APT actors have used both in previous targeted attacks.", "description": "Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.",
"value": "Bozok", "value": "Bozok",
"uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2" "uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2"
}, },
@ -322,7 +322,7 @@
], ],
"date": "2005" "date": "2005"
}, },
"description": "In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as \u2018Dark RAT\u2019 \u2013 a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.", "description": "In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as Dark RAT a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.",
"value": "DarkRat", "value": "DarkRat",
"uuid": "7135cc9c-a7bf-44fc-b74b-80de9edd9438" "uuid": "7135cc9c-a7bf-44fc-b74b-80de9edd9438"
}, },
@ -402,7 +402,7 @@
], ],
"date": "2002" "date": "2002"
}, },
"description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora\u2019s structure is based on advanced client / server architecture. was configured using modern technology.", "description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandoras structure is based on advanced client / server architecture. was configured using modern technology.",
"value": "Pandora", "value": "Pandora",
"uuid": "59485642-d233-4167-9f51-bd1d74285c23" "uuid": "59485642-d233-4167-9f51-bd1d74285c23"
}, },
@ -416,7 +416,7 @@
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf" "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf"
] ]
}, },
"description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn\u2019t scale well when there are a lot of infected machines and logs involved.", "description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesnt scale well when there are a lot of infected machines and logs involved.",
"value": "Predator Pain", "value": "Predator Pain",
"uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed" "uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed"
}, },
@ -515,7 +515,7 @@
"http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/" "http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/"
] ]
}, },
"description": "Plasma RAT\u2019s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.", "description": "Plasma RATs stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.",
"value": "Plasma RAT", "value": "Plasma RAT",
"uuid": "af534ddb-d0c6-47c0-82be-058c8bd5c6e1" "uuid": "af534ddb-d0c6-47c0-82be-058c8bd5c6e1"
}, },
@ -545,7 +545,7 @@
"http://droidjack.net/" "http://droidjack.net/"
] ]
}, },
"description": "DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation \u2013 even allows attackers to fully take over the mobile phone and steal, record the victim\u2019s private data wilfully.", "description": "DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation even allows attackers to fully take over the mobile phone and steal, record the victims private data wilfully.",
"value": "DroidJack", "value": "DroidJack",
"uuid": "7f032293-bfa2-4595-803d-c84519190861" "uuid": "7f032293-bfa2-4595-803d-c84519190861"
}, },
@ -705,7 +705,7 @@
"https://github.com/chrismattmann/drat" "https://github.com/chrismattmann/drat"
] ]
}, },
"description": "A distributed, parallelized (Map Reduce) wrapper around Apache\u2122 RAT to allow it to complete on large code repositories of multiple file types where Apache\u2122 RAT hangs forev", "description": "A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev",
"value": "drat", "value": "drat",
"uuid": "5ee39172-7ba3-477c-9772-88841b4be691" "uuid": "5ee39172-7ba3-477c-9772-88841b4be691"
}, },
@ -966,7 +966,7 @@
], ],
"date": "2010" "date": "2010"
}, },
"description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It\u2019s promoted on social media sites like YouTube and Facebook. Its maker, \u201cOussamiO,\u201d even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.", "description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. Its promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.",
"value": "Lost Door", "value": "Lost Door",
"uuid": "8007f2be-ba4f-445e-8a15-6c2bfe769c49" "uuid": "8007f2be-ba4f-445e-8a15-6c2bfe769c49"
}, },
@ -2083,7 +2083,7 @@
"uuid": "8204723f-aefc-4c90-9178-8fe53e8d6f33" "uuid": "8204723f-aefc-4c90-9178-8fe53e8d6f33"
}, },
{ {
"description": "Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be \u2018reinstalled\u2019 after system restart.", "description": "Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be reinstalled after system restart.",
"value": "Matryoshka", "value": "Matryoshka",
"meta": { "meta": {
"refs": [ "refs": [
@ -2118,7 +2118,7 @@
"uuid": "20336460-828e-4f18-bbe6-14f3579b5f5a" "uuid": "20336460-828e-4f18-bbe6-14f3579b5f5a"
}, },
{ {
"description": "Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware\u2019s author didn\u2019t bother obfuscating the RAT\u2019s source code. This raised a question mark with the researchers, who couldn\u2019t explain why VirusTotal scanners couldn\u2019t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn\u2019t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.", "description": "Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malwares author didnt bother obfuscating the RATs source code. This raised a question mark with the researchers, who couldnt explain why VirusTotal scanners couldnt pick it up as a threat right away.Revenge, which was written in Visual Basic, also didnt feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.",
"value": "Revenge-RAT", "value": "Revenge-RAT",
"meta": { "meta": {
"refs": [ "refs": [
@ -2154,7 +2154,7 @@
"uuid": "38e68703-1db4-4b97-80e9-a0afd099da58" "uuid": "38e68703-1db4-4b97-80e9-a0afd099da58"
}, },
{ {
"description": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the \u201ci\u201d between \u201ctravel\u201d and \u201cdocs\u201d).", "description": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).",
"value": "Qarallax", "value": "Qarallax",
"meta": { "meta": {
"refs": [ "refs": [
@ -2180,7 +2180,7 @@
"uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3" "uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3"
}, },
{ {
"description": "Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we\u2019ve seen its payload being distributed in the wild for the first time.", "description": "Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, weve seen its payload being distributed in the wild for the first time.",
"value": "Remcos", "value": "Remcos",
"meta": { "meta": {
"refs": [ "refs": [
@ -2191,7 +2191,7 @@
"uuid": "f647cca0-7416-47e9-8342-94b84dd436cc" "uuid": "f647cca0-7416-47e9-8342-94b84dd436cc"
}, },
{ {
"description": "The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims\u2019 web navigation and interrupt online banking session at will. After taking over a victim\u2019s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.", "description": "The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims web navigation and interrupt online banking session at will. After taking over a victims banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.",
"value": "Client Maximus", "value": "Client Maximus",
"meta": { "meta": {
"refs": [ "refs": [
@ -2202,7 +2202,7 @@
"uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55" "uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55"
}, },
{ {
"description": "Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most\u2026 ", "description": "Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most ",
"value": "TheFat RAT", "value": "TheFat RAT",
"meta": { "meta": {
"refs": [ "refs": [
@ -2213,7 +2213,7 @@
"uuid": "90b4addc-e9ff-412d-899e-7204c89c0bdb" "uuid": "90b4addc-e9ff-412d-899e-7204c89c0bdb"
}, },
{ {
"description": "Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware \u2018RedLeaves\u2019. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.", "description": "Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware RedLeaves. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.",
"value": "RedLeaves", "value": "RedLeaves",
"meta": { "meta": {
"refs": [ "refs": [
@ -2224,7 +2224,7 @@
"uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e" "uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e"
}, },
{ {
"description": "Dubbed Rurktar, the tool hasn\u2019t had all of its functionality implemented yet, but G DATA says \u201cit is relatively safe to say [it] is intended for use in targeted spying operations.\u201d The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.", "description": "Dubbed Rurktar, the tool hasnt had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.",
"value": "Rurktar", "value": "Rurktar",
"meta": { "meta": {
"refs": [ "refs": [
@ -2246,7 +2246,7 @@
"uuid": "2384b62d-312f-43e2-ab47-68c9fcca1541" "uuid": "2384b62d-312f-43e2-ab47-68c9fcca1541"
}, },
{ {
"description": "So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine\u2019s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", "description": "So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machines username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.",
"value": "KhRAT", "value": "KhRAT",
"meta": { "meta": {
"refs": [ "refs": [
@ -2280,7 +2280,7 @@
}, },
{ {
"value": "Socket23", "value": "Socket23",
"description": "SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for \u2018fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data\u2019", "description": "SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf" "https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf"
@ -2297,7 +2297,7 @@
"uuid": "b3620451-8871-4078-bbf9-aa5bab641299" "uuid": "b3620451-8871-4078-bbf9-aa5bab641299"
}, },
{ {
"description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn\u2019t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.", "description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isnt a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.",
"value": "MacSpy", "value": "MacSpy",
"meta": { "meta": {
"refs": [ "refs": [
@ -2363,7 +2363,7 @@
"uuid": "ca6e2e9b-6b5a-447b-9561-295c807a6484" "uuid": "ca6e2e9b-6b5a-447b-9561-295c807a6484"
}, },
{ {
"description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary\u2019s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs \u2014\u2019file download\u2019 or \u2018file upload,\u2019 for example\u2014and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim\u2019s network, simply by wrapping commands. ", "description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversarys arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs file download or file upload, for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victims network, simply by wrapping commands. ",
"value": "htpRAT", "value": "htpRAT",
"meta": { "meta": {
"refs": [ "refs": [
@ -2373,7 +2373,7 @@
"uuid": "7362581a-a7d1-4060-b225-e227f2df2b60" "uuid": "7362581a-a7d1-4060-b225-e227f2df2b60"
}, },
{ {
"description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim\u2019s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victims system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.",
"value": "FALLCHILL", "value": "FALLCHILL",
"meta": { "meta": {
"refs": [ "refs": [
@ -2393,7 +2393,7 @@
"uuid": "03694200-80c2-433d-9797-09eafcad1075" "uuid": "03694200-80c2-433d-9797-09eafcad1075"
}, },
{ {
"description": "The EFF/Lookout report describes CrossRat as a \u201cnewly discovered desktop surveillanceware tool\u2026which is able to target Windows, OSX, and Linux.\u201d", "description": "The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”",
"value": "CrossRat", "value": "CrossRat",
"meta": { "meta": {
"refs": [ "refs": [

52
clusters/threat-actor.json
View file

@ -20,7 +20,7 @@
"http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"
] ]
}, },
"description": "PLA Unit 61398 (Chinese: 61398\u90e8\u961f, Pinyin: 61398 b\u00f9du\u00ec) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
"value": "Comment Crew", "value": "Comment Crew",
"uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be" "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be"
}, },
@ -47,7 +47,7 @@
}, },
{ {
"value": "Codoso", "value": "Codoso",
"description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors\u2019 computers with malware.'", "description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors computers with malware.'",
"meta": { "meta": {
"country": "CN", "country": "CN",
"refs": [ "refs": [
@ -756,7 +756,7 @@
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
] ]
}, },
"description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit\u2122 (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.",
"value": "Cutting Kitten", "value": "Cutting Kitten",
"uuid": "11e17436-6ede-4733-8547-4ce0254ea19e" "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e"
}, },
@ -981,7 +981,7 @@
"country": "RU" "country": "RU"
}, },
"value": "Turla Group", "value": "Turla Group",
"description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O\u2019 Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'",
"uuid": "fa80877c-f509-4daf-8b62-20aba1635f68" "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68"
}, },
{ {
@ -1039,7 +1039,7 @@
] ]
}, },
"value": "TeleBots", "value": "TeleBots",
"description": "We will refer to the gang behind the malware as TeleBots. However it\u2019s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", "description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.",
"uuid": "b47250ec-2094-4d06-b658-11456e05fe89" "uuid": "b47250ec-2094-4d06-b658-11456e05fe89"
}, },
{ {
@ -1289,7 +1289,7 @@
] ]
}, },
"value": "ScarCruft", "value": "ScarCruft",
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits \u2014 two for Adobe Flash and one for Microsoft Internet Explorer.", "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits two for Adobe Flash and one for Microsoft Internet Explorer.",
"uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338" "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338"
}, },
{ {
@ -1333,7 +1333,7 @@
"https://www.cymmetria.com/patchwork-targeted-attack/" "https://www.cymmetria.com/patchwork-targeted-attack/"
] ]
}, },
"description": "Dropping Elephant (also known as \u201cChinastrats\u201d and \u201cPatchwork\u201c) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China\u2019s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with Chinas foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.",
"value": "Dropping Elephant", "value": "Dropping Elephant",
"uuid": "18d473a5-831b-47a5-97a1-a32156299825" "uuid": "18d473a5-831b-47a5-97a1-a32156299825"
}, },
@ -1416,7 +1416,7 @@
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/"
] ]
}, },
"description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to \u2018Sauron\u2019 in the Lua scripts.", "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to Sauron in the Lua scripts.",
"value": "ProjectSauron", "value": "ProjectSauron",
"uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7" "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7"
}, },
@ -1556,7 +1556,7 @@
}, },
{ {
"value": "Molerats", "value": "Molerats",
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called \u201cGaza Hackers Team.\u201d We refer to this campaign as \u201cMolerats.\u201d", "description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
@ -1574,7 +1574,7 @@
}, },
{ {
"value": "PROMETHIUM", "value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional featuresthis shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
@ -1589,7 +1589,7 @@
}, },
{ {
"value": "NEODYMIUM", "value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
@ -1609,7 +1609,7 @@
}, },
{ {
"value": "Cadelle", "value": "Cadelle",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it\u2019s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
@ -1620,7 +1620,7 @@
}, },
{ {
"value": "Chafer", "value": "Chafer",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it\u2019s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.", "description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
@ -1631,7 +1631,7 @@
}, },
{ {
"value": "PassCV", "value": "PassCV",
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term \u2018PassCV\u2019 to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We\u2019d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they\u2019ve begun development on. ", "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on. ",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
@ -1641,8 +1641,8 @@
"uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965" "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965"
}, },
{ {
"value": "Sath-\u0131 M\u00fcdafaa", "value": "Sath-ıdafaa",
"description": "A Turkish hacking group, Sath-\u0131 M\u00fcdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", "description": "A Turkish hacking group, Sath-ıdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.",
"meta": { "meta": {
"country": "TR", "country": "TR",
"motive": "Hacktivists-Nationalists" "motive": "Hacktivists-Nationalists"
@ -1651,7 +1651,7 @@
}, },
{ {
"value": "Aslan Neferler Tim", "value": "Aslan Neferler Tim",
"description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group\u2019s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey\u2019s policies or leadership, and purports to act in defense of Islam", "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the groups site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkeys policies or leadership, and purports to act in defense of Islam",
"meta": { "meta": {
"country": "TR", "country": "TR",
"synonyms": [ "synonyms": [
@ -1663,8 +1663,8 @@
"uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a" "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a"
}, },
{ {
"value": "Ayy\u0131ld\u0131z Tim", "value": "Ayyıldız Tim",
"description": "Ayy\u0131ld\u0131z (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.",
"meta": { "meta": {
"country": "TR", "country": "TR",
"synonyms": [ "synonyms": [
@ -1676,7 +1676,7 @@
}, },
{ {
"value": "TurkHackTeam", "value": "TurkHackTeam",
"description": "Founded in 2004, Turkhackteam is one of Turkey\u2019s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam\u2019s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", "description": "Founded in 2004, Turkhackteam is one of Turkeys oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteams forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ",
"meta": { "meta": {
"country": "TR", "country": "TR",
"synonyms": [ "synonyms": [
@ -1791,7 +1791,7 @@
] ]
}, },
"value": "Groundbait", "value": "Groundbait",
"description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People\u2019s Republics.", "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk Peoples Republics.",
"uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73" "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73"
}, },
{ {
@ -1868,7 +1868,7 @@
}, },
{ {
"value": "PLATINUM", "value": "PLATINUM",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"meta": { "meta": {
"refs": [ "refs": [
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf",
@ -1909,7 +1909,7 @@
}, },
{ {
"value": "El Machete", "value": "El Machete",
"description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We\u2019ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.", "description": "El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. Weve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.",
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/blog/research/66108/el-machete/", "https://securelist.com/blog/research/66108/el-machete/",
@ -2406,7 +2406,7 @@
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
] ]
}, },
"description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call \u201cPOWERSTATS\u201d. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.",
"value": "MuddyWater", "value": "MuddyWater",
"uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b" "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b"
}, },
@ -2424,7 +2424,7 @@
}, },
{ {
"value": "Microcin", "value": "Microcin",
"description": "We\u2019re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago \u2013 we named it \u2018Microcin\u2019 after microini, one of the malicious components used in it.", "description": "Were already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago we named it Microcin after microini, one of the malicious components used in it.",
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
@ -2446,7 +2446,7 @@
}, },
{ {
"value": "Nexus Zeta", "value": "Nexus Zeta",
"description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014\u20138361 and CVE-2017\u201317215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.", "description": "Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-20148361 and CVE-201717215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"

68
clusters/tool.json
View file

@ -104,7 +104,7 @@
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/" "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
] ]
}, },
"description": "In March 2016, Unit 42 observed this new Poison Ivy variant we\u2019ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", "description": "In March 2016, Unit 42 observed this new Poison Ivy variant weve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
"value": "SPIVY", "value": "SPIVY",
"uuid": "a3d2e7fe-a8e4-48c7-8d47-b9430898af08" "uuid": "a3d2e7fe-a8e4-48c7-8d47-b9430898af08"
}, },
@ -230,7 +230,7 @@
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/" "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
] ]
}, },
"description": "We have discovered a malware family named \u2018PWOBot\u2019 that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "description": "We have discovered a malware family named PWOBot that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
"value": "PWOBot", "value": "PWOBot",
"uuid": "17de0952-3841-44d3-b03a-cc90e123d2b8" "uuid": "17de0952-3841-44d3-b03a-cc90e123d2b8"
}, },
@ -469,7 +469,7 @@
"EXL" "EXL"
] ]
}, },
"description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization\u2019s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organizations network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.",
"value": "Pirpi", "value": "Pirpi",
"uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a" "uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a"
}, },
@ -482,7 +482,7 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/" "http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/"
] ]
}, },
"description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it\u2019s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, its characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.",
"value": "RARSTONE", "value": "RARSTONE",
"uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d" "uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d"
}, },
@ -596,7 +596,7 @@
"Urouros" "Urouros"
] ]
}, },
"description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature \u2013 anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!", "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!",
"value": "Turla", "value": "Turla",
"uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c" "uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c"
}, },
@ -1343,7 +1343,7 @@
"https://objective-see.com/blog/blog_0x25.html#XAgent" "https://objective-see.com/blog/blog_0x25.html#XAgent"
] ]
}, },
"description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group\u2019s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.", "description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the groups flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.",
"value": "X-Agent", "value": "X-Agent",
"uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c" "uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c"
}, },
@ -1434,7 +1434,7 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/" "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/"
] ]
}, },
"description": "Umbreon (sharing the same name as the Pok\u00e9mon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", "description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.",
"value": "Umbreon", "value": "Umbreon",
"uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13" "uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13"
}, },
@ -1444,7 +1444,7 @@
"https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
] ]
}, },
"description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013\u2013Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.",
"value": "Odinaff", "value": "Odinaff",
"uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d" "uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d"
}, },
@ -1604,7 +1604,7 @@
"https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
] ]
}, },
"description": "The actors used a new version of \u201cKeyBoy,\u201d a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", "description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data",
"value": "KeyBoy", "value": "KeyBoy",
"uuid": "74167065-90b3-4c29-807a-79b6f098e45b" "uuid": "74167065-90b3-4c29-807a-79b6f098e45b"
}, },
@ -1749,7 +1749,7 @@
}, },
{ {
"value": "Shiz", "value": "Shiz",
"description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications \u2014 particularly SAP users. ", "description": "The new variant of the Shiz Trojan malware targets mission-critical enterprise resource planning (ERP) applications particularly SAP users. ",
"meta": { "meta": {
"refs": [ "refs": [
"https://securityintelligence.com/tag/shiz-trojan-malware/" "https://securityintelligence.com/tag/shiz-trojan-malware/"
@ -1759,7 +1759,7 @@
}, },
{ {
"value": "MM Core", "value": "MM Core",
"description": "Also known as \u201cBaneChant\u201d, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number \u201c2.0-LNK\u201d where it used the tag \u201cBaneChant\u201d in its command-and-control (C2) network request. A second version \u201c2.1-LNK\u201d with the network tag \u201cStrangeLove\u201d was discovered shortly after.", "description": "Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose"
@ -1801,7 +1801,7 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/" "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/"
] ]
}, },
"description": "Two Italians referred to as the \u201cOcchionero brothers\u201d have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called \u201cEyePyramid\u201d, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)",
"value": "EyePyramid Malware", "value": "EyePyramid Malware",
"uuid": "52c2499f-c74f-4bab-bad2-c278e798654c" "uuid": "52c2499f-c74f-4bab-bad2-c278e798654c"
}, },
@ -1846,7 +1846,7 @@
"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" "https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
] ]
}, },
"description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples \u2018stream\u2019, combined with the dropper functionality to append \u2018ex\u2019 to the DLL file name. The StreamEx family has the ability to access and modify the user\u2019s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples stream, combined with the dropper functionality to append ex to the DLL file name. The StreamEx family has the ability to access and modify the users file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ",
"value": "StreamEx", "value": "StreamEx",
"uuid": "9991ace8-1a62-498c-a9ef-19d474deb505" "uuid": "9991ace8-1a62-498c-a9ef-19d474deb505"
}, },
@ -2833,7 +2833,7 @@
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
] ]
}, },
"description": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string.", "description": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the systems default User-Agent string.",
"value": "HAYMAKER", "value": "HAYMAKER",
"uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161" "uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161"
}, },
@ -2853,7 +2853,7 @@
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
] ]
}, },
"description": "SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware\u2019s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.", "description": "SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malwares capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.",
"value": "SNUGRIDE", "value": "SNUGRIDE",
"uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453" "uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453"
}, },
@ -2879,7 +2879,7 @@
"Morcut" "Morcut"
] ]
}, },
"description": "Hacking Team\u2019s \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target\u2019s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.", "description": "Hacking Teams \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the targets location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.",
"value": "da Vinci RCS", "value": "da Vinci RCS",
"uuid": "37709067-e55e-473b-bb1c-312a27714d0c" "uuid": "37709067-e55e-473b-bb1c-312a27714d0c"
}, },
@ -3098,7 +3098,7 @@
"uuid": "179f7228-6fcf-4664-a084-57bd296d0cde" "uuid": "179f7228-6fcf-4664-a084-57bd296d0cde"
}, },
{ {
"description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan\u2019s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojans capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.",
"value": "Kazuar", "value": "Kazuar",
"meta": { "meta": {
"refs": [ "refs": [
@ -3108,7 +3108,7 @@
"uuid": "a5399473-859b-4c64-999b-a3b4070cd513" "uuid": "a5399473-859b-4c64-999b-a3b4070cd513"
}, },
{ {
"description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch \u2013 however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).",
"value": "Trick Bot", "value": "Trick Bot",
"meta": { "meta": {
"refs": [ "refs": [
@ -3124,7 +3124,7 @@
"uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4" "uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4"
}, },
{ {
"description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with \u201c.moe\u201d top level domain (TLD) to evade traditional scanners. \u201c.moe\u201d TLD is intended for the purpose of \u2018The marketing of products or services deemed\u2019. The victim\u2019s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of The marketing of products or services deemed. The victims credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.",
"value": "Hackshit", "value": "Hackshit",
"meta": { "meta": {
"refs": [ "refs": [
@ -3143,7 +3143,7 @@
"uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348" "uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348"
}, },
{ {
"description": " Banload has been around since the last decade. This malware generally arrives on a victim\u2019s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim\u2019s system to carry out further infections.", "description": " Banload has been around since the last decade. This malware generally arrives on a victims system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victims system to carry out further infections.",
"value": "Banload", "value": "Banload",
"meta": { "meta": {
"refs": [ "refs": [
@ -3213,7 +3213,7 @@
"uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd" "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd"
}, },
{ {
"description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we\u2019ve named \u201cSpyDealer\u201d which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware weve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.",
"value": "SpyDealer", "value": "SpyDealer",
"meta": { "meta": {
"refs": [ "refs": [
@ -3233,7 +3233,7 @@
"uuid": "6da16d56-eaf9-475d-a7e0-4a11e0200c14" "uuid": "6da16d56-eaf9-475d-a7e0-4a11e0200c14"
}, },
{ {
"description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng \u2013 Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.",
"value": "Svpeng", "value": "Svpeng",
"meta": { "meta": {
"refs": [ "refs": [
@ -3259,7 +3259,7 @@
"uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11" "uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11"
}, },
{ {
"description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is \u201c9A26A0E7B88940DAA84FC4D5E6C61AD0\u201d. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete",
"value": "IntrudingDivisor", "value": "IntrudingDivisor",
"meta": { "meta": {
"type": [ "type": [
@ -3283,7 +3283,7 @@
}, },
{ {
"value": "EngineBox Malware", "value": "EngineBox Malware",
"description": "The main malware capabilities include a privilege escalation attempt using MS16\u2013032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox\u2014 the core malware class I saw after reverse engineering it.", "description": "The main malware capabilities include a privilege escalation attempt using MS16032 exploitation; a HTTP Proxy to intercept banking transactions; a backdoor to make it possible for the attacker to issue arbitrary remote commands and a C&C through a IRC channel. As it's being identified as a Generic Trojan by most of VirusTotal (VT) engines, let s name it EngineBox the core malware class I saw after reverse engineering it.",
"meta": { "meta": {
"refs": [ "refs": [
"https://isc.sans.edu/diary/22736" "https://isc.sans.edu/diary/22736"
@ -3293,7 +3293,7 @@
}, },
{ {
"value": "Joao", "value": "Joao",
"description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victim\u2019s computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.", "description": "Spread via hacked Aeria games offered on unofficial websites, the modular malware can download and install virtually any other malicious code on the victims computer. To spread their malware, the attackers behind Joao have misused massively-multiplayer online role-playing games (MMORPGs) originally published by Aeria Games. At the time of writing this article, the Joao downloader was being distributed via the anime-themed MMORPG Grand Fantasia offered on gf.ignitgames[.]to.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/"
@ -3313,7 +3313,7 @@
}, },
{ {
"value": "ShadowPad", "value": "ShadowPad",
"description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to \u201cvalidation\u201d command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.", "description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.",
"meta": { "meta": {
"refs": [ "refs": [
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
@ -3364,7 +3364,7 @@
}, },
{ {
"value": "Silence", "value": "Silence",
"description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees\u2019 PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.", "description": "In September 2017, we discovered a new targeted attack on financial institutions. Victims are mostly Russian banks but we also found infected organizations in Malaysia and Armenia. The attackers were using a known but still very effective technique for cybercriminals looking to make money: gaining persistent access to an internal banking network for a long period of time, making video recordings of the day to day activity on bank employees PCs, learning how things works in their target banks, what software is being used, and then using that knowledge to steal as much money as possible when ready. \nWe saw that technique before in Carbanak, and other similar cases worldwide. The infection vector is a spear-phishing email with a malicious attachment. An interesting point in the Silence attack is that the cybercriminals had already compromised banking infrastructure in order to send their spear-phishing emails from the addresses of real bank employees and look as unsuspicious as possible to future victims.",
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/the-silence/83009/" "https://securelist.com/the-silence/83009/"
@ -3394,7 +3394,7 @@
}, },
{ {
"value": "GootKit", "value": "GootKit",
"description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same \u2013 to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.", "description": "As was the case earlier, the bot Gootkit is written in NodeJS, and is downloaded to a victim computer via a chain of downloaders. The main purpose of the bot also remained the same to steal banking data. The new Gootkit version, detected in September, primarily targets clients of European banks, including those in Germany, France, Italy, the Netherlands, Poland, etc.",
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/inside-the-gootkit-cc-server/76433/", "https://securelist.com/inside-the-gootkit-cc-server/76433/",
@ -3446,7 +3446,7 @@
}, },
{ {
"value": "wp-vcd", "value": "wp-vcd",
"description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file \u2014hence the malware's name\u2014 and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/",
@ -3488,7 +3488,7 @@
}, },
{ {
"value": "TRISIS", "value": "TRISIS",
"description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric\u2019s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ", "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electrics Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements. TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack. TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
@ -3527,7 +3527,7 @@
}, },
{ {
"value": "PRILEX", "value": "PRILEX",
"description": "Prilex malware steals the information of the infected ATM\u2019s users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether you\u2019re a customer or the bank.", "description": "Prilex malware steals the information of the infected ATMs users. In this case, it was a Brazilian bank, but consider the implications of such an attack in your region, whether youre a customer or the bank.",
"meta": { "meta": {
"refs": [ "refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/"
@ -3581,7 +3581,7 @@
}, },
{ {
"value": "Ratankba", "value": "Ratankba",
"description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaign\u2019s platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloaded\u2014the machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.", "description": "In one instance we observed, one of the initial malware delivered to the victim, RATANKBA, connects to a legitimate but compromised website from which a hack tool (nbt_scan.exe) is also downloaded. The domain also serves as one of the campaigns platform for C&C communication.\nThe threat actor uses RATANKBA to survey the lay of the land as it looks into various aspects of the host machine where it has been initially downloadedthe machine that has been victim of the watering hole attack. Information such as the running tasks, domain, shares, user information, if the host has default internet connectivity, and so forth.",
"meta": { "meta": {
"refs": [ "refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/"
@ -3697,7 +3697,7 @@
}, },
{ {
"value": "Travle", "value": "Travle",
"description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: \u201cTravle Path Failed!\u201d. This typo was replaced with correct word \u201cTravel\u201d in newer releases. We believe that Travle could be a successor to the NetTraveler family.", "description": "The Travle sample found during our investigation was a DLL with a single exported function (MSOProtect). The malware name Travle was chosen given a string found in early samples of this family: “Travle Path Failed!”. This typo was replaced with correct word “Travel” in newer releases. We believe that Travle could be a successor to the NetTraveler family.",
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/" "https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455/"
@ -3710,7 +3710,7 @@
}, },
{ {
"value": "Digmine", "value": "Digmine",
"description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the user\u2019s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the account\u2019s friends. The abuse of Facebook is limited to propagation for now, but it wouldn\u2019t be implausible for attackers to hijack the Facebook account itself down the line. This functionality\u2019s code is pushed from the command-and-control (C&C) server, which means it can be updated.", "description": "Digmine is coded in AutoIt, and sent to would-be victims posing as a video file but is actually an AutoIt executable script. If the users Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a link to the file to the accounts friends. The abuse of Facebook is limited to propagation for now, but it wouldnt be implausible for attackers to hijack the Facebook account itself down the line. This functionalitys code is pushed from the command-and-control (C&C) server, which means it can be updated.",
"meta": { "meta": {
"refs": [ "refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" "https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/"