From 381973f5de49cc6fb182b941d608d32ae264c282 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Mon, 21 Jun 2021 16:35:20 -0500 Subject: [PATCH 1/2] [cluster][stealer] Adds HackBoss MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: #651 Signed-off-by: Jürgen Löhel --- clusters/stealer.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 117d4f8..3627bfe 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -76,7 +76,19 @@ }, "uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c", "value": "Ave Maria" + }, + { + "description": "A cryptocurrency-stealing malware distributed through Telegram", + "meta": { + "date": "April 2021.", + "refs": [ + "https://decoded.avast.io/romanalinkeova/hackboss-a-cryptocurrency-stealing-malware-distributed-through-telegram/", + "https://github.com/avast/ioc/tree/master/HackBoss" + ] + }, + "uuid": "ebc1c15d-3e27-456e-9473-61d92d91bda8", + "value": "HackBoss" } ], - "version": 7 + "version": 8 } From 254c20160183e58f9f4b7f7ef2f5a9af1c77e2aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Mon, 21 Jun 2021 18:00:35 -0500 Subject: [PATCH 2/2] [cluster][tool] Adds Matanbuchus MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit + threat actor: BelialDemon Signed-off-by: Jürgen Löhel --- clusters/threat-actor.json | 15 ++++++++++++++- clusters/tool.json | 16 +++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c6a9be6..99e29ce 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8833,7 +8833,20 @@ }, "uuid": "2dd31182-bae1-48ed-8bb3-805a3df89783", "value": "Gelsemium" + }, + { + "description": "Mentioned as operator of TriumphLoader and Matanbuchus", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" + ], + "synonyms": [ + "Matanbuchus" + ] + }, + "uuid": "e7aff414-fc21-43eb-ad5d-9a46e07be9f5", + "value": "BelialDemon" } ], - "version": 204 + "version": 205 } diff --git a/clusters/tool.json b/clusters/tool.json index eaf3961..8874ee4 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8292,7 +8292,21 @@ "related": [], "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", "value": "RDAT" + }, + { + "description": "Matanbuchus is a loader promoted by BelialDemon. It can launch an EXE or DLL file in memory, leverage schtasks.exe to add or modify task schedules, and launch custom PowerShell commands, among other capabilities. Attackers use a Microsoft Excel document as the initial vector to drop the Matanbuchus Loader DLL.", + "meta": { + "date": "Feb 2021.", + "refs": [ + "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" + ], + "type": [ + "Loader" + ] + }, + "uuid": "2214b113-6942-494f-94b7-576e74fccdb5", + "value": "Matanbuchus" } ], - "version": 144 + "version": 145 }