diff --git a/clusters/botnet.json b/clusters/botnet.json index aed6269..16c7e5c 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -551,6 +551,21 @@ ] }, "uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f" + }, + { + "value": "Hide and Seek", + "description": "Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/" + ], + "synonyms": [ + "HNS", + "Hide 'N Seek" + ] + }, + "uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f" } ], "name": "Botnet", @@ -561,5 +576,5 @@ ], "description": "botnet galaxy", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", - "version": 3 + "version": 4 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c8d7d14..7b266c4 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9676,12 +9676,26 @@ ] }, "uuid": "c1788ac0-4fa0-11e8-b0fd-63f5a2914926" + }, + { + "value": "HPE iLO 4 Ransomware", + "description": "Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again.\nAccording to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim's was different from other reported ones.\nAn interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims.\nFinally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from \"stealing\" another victim's payment and using it to unlock their computer.\nIn a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/", + "https://twitter.com/M_Shahpasandi/status/989157283799162880" + ], + "ransomnotes": [ + "Security Notice\n\nHey. Your hard disk is encrypted using RSA 2048 asymmetric encryption. To decrypt files you need to obtain the private key.\nIt means We are the only ones in the world to recover files back to you. Not even god can help you. Its all math and cryptography .\nIf you want your files back, Please send an email to 15fd9ngtetwjtdc@yopmail.com.\nWe don't know who are you, All what we need is some money and we are doing it for good cause.\nDon't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.\nYou can use of that bitcoin exchangers for transfering bitcoin.\nhttps://localbitcoins.com\nhttps://www.kraken.com\nPlease use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.\n\nProcess:\n1) Pay some BTC to our wallet address.(negotations almost impossible unless you are a russian citizen)\n2) We will send you private key and instructions to decrypt your hard drive\n3) Boom! You got your files back." + ] + }, + "uuid": "39cb0268-528b-11e8-ac30-0fa44afdc8de" } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 20, + "version": 21, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" } diff --git a/clusters/tool.json b/clusters/tool.json index bbc05ee..10a82bb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -11,7 +11,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 66, + "version": 67, "values": [ { "meta": { @@ -4150,6 +4150,18 @@ ] }, "uuid": "b7be6732-4ed5-11e8-8b82-dff39eb7a396" + }, + { + "value": "kitty Malware", + "description": "Researchers at Imperva's Incapsula said a new piece malware called Kitty leaves a note for cat lovers. It attacks the Drupal content management system (CMS) to illegally mine cryptocurrency Monero.", + "meta": { + "refs": [ + "https://www.zdnet.com/article/hello-kitty-malware-targets-drupal-to-mine-for-cryptocurrency/", + "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", + "https://cryptovest.com/news/hello-kitty-new-malware-me0ws-its-way-into-mining-monero/" + ] + }, + "uuid": "85d5da28-51f7-11e8-bbeb-af367d720136" } ] }