From 93396c524da9d4a49ecf23d393ffb734e20c44c6 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 12 Feb 2021 12:00:17 -0500 Subject: [PATCH 01/20] Add Caterpillar WebShell. --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 4bab6de..0606a6a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8221,7 +8221,21 @@ "related": [], "uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b", "value": "HyperBro" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.clearskysec.com/cedar/" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "1974ea65-7312-4d91-a592-649983b46554", + "value": "Caterpillar WebShell" } ], - "version": 140 + "version": 141 } From 4a7560d1917e73aca1d5de7afdf534de0c50544b Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Mon, 15 Feb 2021 12:52:53 -0500 Subject: [PATCH 02/20] Add Exaramel and P.A.S. webshell tool. --- clusters/tool.json | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 0606a6a..5ddaf2f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8235,7 +8235,43 @@ "related": [], "uuid": "1974ea65-7312-4d91-a592-649983b46554", "value": "Caterpillar WebShell" + }, + { + "description": "The P.A.S. webshell was developed by an ukrainian student, Jaroslav Volodimirovich Panchenko, who used the nick-name Profexer. It was developed in PHP and features a characteristic password-based encryption. This tool was available through a form on his website, where a user had to provide a password to receive a custom webshell. The form suggested a donation to the developer. It was commonly used, including during a WORDPRESS website attack.", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "Fobushell" + ], + "type": [ + "webshell" + ] + }, + "related": [], + "uuid": "6baa1f46-daa9-4f40-952b-ec613c835abb", + "value": "P.A.S. webshell" + }, + { + "description": "", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" + ], + "synonyms": [ + "" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", + "value": "Exaramel" } ], - "version": 141 + "version": 142 } From 178e16dc13f726afa2e97dd2527e87698f89795e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 16 Feb 2021 10:32:37 -0500 Subject: [PATCH 03/20] Remove empty values. --- clusters/tool.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 5ddaf2f..9e4ac50 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8255,15 +8255,12 @@ "value": "P.A.S. webshell" }, { - "description": "", + "description": "Exaramel is a backdoor first publicly reported by ESET in 2018. Two samples were identified, one targeting the WINDOWS operating system and the other targeting LINUX operating systems.", "meta": { "refs": [ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], - "synonyms": [ - "" - ], "type": [ "backdoor" ] From e9eb0c7a6c3eae7dc97162bf78b1de0f62ba1411 Mon Sep 17 00:00:00 2001 From: Thijsvanede Date: Fri, 19 Feb 2021 12:01:47 +0100 Subject: [PATCH 04/20] Fix: rename "Innitial Access" to "Initial Access" Renamed mitre-ics-tactics "Innitial Access" to "Initial Access". Original was a minor spelling mistake. The fixed naming corresponds to the original ATT&CK framework description https://collaborate.mitre.org/attackics/index.php/Initial_Access --- clusters/mitre-ics-tactics.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/mitre-ics-tactics.json b/clusters/mitre-ics-tactics.json index 8cb8cae..56102ce 100644 --- a/clusters/mitre-ics-tactics.json +++ b/clusters/mitre-ics-tactics.json @@ -271,7 +271,7 @@ ] }, "uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8", - "value": "Innitial Access" + "value": "Initial Access" } ], "version": 1 From eeafff97680b7f53b1750ee704e56415e472d546 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 23 Feb 2021 11:15:31 -0500 Subject: [PATCH 05/20] Add RDAT backdoor --- clusters/tool.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9e4ac50..21bb1b5 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8268,7 +8268,21 @@ "related": [], "uuid": "95174297-6dff-47d9-bcb9-263f9b2efcfb", "value": "Exaramel" + }, + { + "description": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" + ], + "type": [ + "backdoor" + ] + }, + "related": [], + "uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7", + "value": "RDAT" } ], - "version": 142 + "version": 143 } From 5c6f3a036bf1e3decb541bca0f6df5b66fa04b80 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 24 Feb 2021 21:55:04 +0530 Subject: [PATCH 06/20] removing DePrimon DePrimon is not a TA, added malfamily (waiting for approval) to Malpedia to better reflect that. --- clusters/threat-actor.json | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2fd7c74..74ca0d2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7996,21 +7996,6 @@ "uuid": "947a450a-df6c-4c2e-807b-0da8ecea1d26", "value": "Attor" }, - { - "description": "DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.", - "meta": { - "cfr-target-category": [ - "Private sector", - "Finance" - ], - "cfr-type-of-incident": "Espionage", - "refs": [ - "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader" - ] - }, - "uuid": "443faf38-ad93-4421-8a53-47ad84b195fa", - "value": "DePriMon" - }, { "description": "According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.", "meta": { From 4692ced8fa444e0ed92a3a9b281d0611ab89bbe3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 26 Feb 2021 08:28:01 +0100 Subject: [PATCH 07/20] chg: [tool] SUNSPOT added --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 4bab6de..977db65 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8221,7 +8221,17 @@ "related": [], "uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b", "value": "HyperBro" + }, + { + "description": "SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" + ] + }, + "uuid": "d9b2305e-9802-483c-a95d-2ae8525c7704", + "value": "SUNSPOT" } ], - "version": 140 + "version": 141 } From f842694fda3fc4cef4e05037fcad436c23b6fcf1 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 2 Mar 2021 14:37:01 -0500 Subject: [PATCH 08/20] Update Infy TA. --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 74ca0d2..34712fe 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4308,9 +4308,12 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ + "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", + "https://www.freebuf.com/articles/network/105726.html", "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://www.cfr.org/interactive/cyber-operations/prince-persia", "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", @@ -4318,7 +4321,8 @@ ], "synonyms": [ "Operation Mermaid", - "Prince of Persia" + "Prince of Persia", + "Foudre" ] }, "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e", From 2666341afc4b0b71bb5f14c4232524fa5713c35d Mon Sep 17 00:00:00 2001 From: Sebdraven Date: Wed, 3 Mar 2021 17:59:25 +0100 Subject: [PATCH 09/20] Update threat-actor.json update Sidewinder card --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34712fe..7ecd35b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7949,10 +7949,17 @@ "meta": { "refs": [ "https://securelist.com/apt-trends-report-q1-2018/85280/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/", + "https://s.tencent.com/research/report/659.html", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf", + "https://s.tencent.com/research/report/479.html", + "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c" ], "synonyms": [ - "RAZOR TIGER" + "RAZOR TIGER", + "Rattlesnake", + "APT-C-17", + "T-APT-04" ] }, "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", From ad795606cfc5fdd7bcf2b201df2ace2f0b4d228e Mon Sep 17 00:00:00 2001 From: Rony Date: Thu, 4 Mar 2021 00:10:33 +0530 Subject: [PATCH 10/20] added HAFNIUM Updates: Tonto Team UNC2452 --- clusters/threat-actor.json | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 34712fe..5b77d31 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4778,7 +4778,8 @@ ], "synonyms": [ "CactusPete", - "Karma Panda" + "Karma Panda", + "BRONZE HUNTLEY" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -8427,12 +8428,28 @@ "https://github.com/fireeye/sunburst_countermeasures" ], "synonyms": [ - "DarkHalo" + "DarkHalo", + "StellarParticle" ] }, "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "value": "UNC2452" + }, + { + "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", + "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", + "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", + "https://twitter.com/ESETresearch/status/1366862946488451088" + ] + }, + "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", + "value": "HAFNIUM" } ], - "version": 198 + "version": 199 } From a9a6b0253f13da9623991d4fdceab0a6774c17aa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Mar 2021 10:49:58 +0100 Subject: [PATCH 11/20] chg: [microsoft activity group] HAFNIUM added --- clusters/microsoft-activity-group.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 3d97ff3..1927f89 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -287,7 +287,17 @@ }, "uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", "value": "GADOLINIUM" + }, + { + "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" + ] + }, + "uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", + "value": "HAFNIUM" } ], - "version": 9 + "version": 10 } From c9f7afef1c641e9fb960e18ee34fa30a4fa623ab Mon Sep 17 00:00:00 2001 From: Rony Date: Thu, 4 Mar 2021 22:39:33 +0530 Subject: [PATCH 12/20] Adding alias NOBELIUM --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 33c047a..e2bf2a7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8432,11 +8432,14 @@ "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://pastebin.com/6EDgCKxd", - "https://github.com/fireeye/sunburst_countermeasures" + "https://github.com/fireeye/sunburst_countermeasures", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", + "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" ], "synonyms": [ "DarkHalo", - "StellarParticle" + "StellarParticle", + "NOBELIUM" ] }, "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", From d9b299aafcefa6b3cb45f4961a9c0473c3363d97 Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 11:42:04 +0530 Subject: [PATCH 13/20] add more HAFNIUM references --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e2bf2a7..ebef9fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8454,7 +8454,10 @@ "https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", - "https://twitter.com/ESETresearch/status/1366862946488451088" + "https://twitter.com/ESETresearch/status/1366862946488451088", + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html, + "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 4bc438a325a8e352a1596dc878b05812e6a30f0b Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 11:48:43 +0530 Subject: [PATCH 14/20] fix --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ebef9fb..999fc78 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8455,7 +8455,7 @@ "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://twitter.com/ESETresearch/status/1366862946488451088", - "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html, + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" ] From eaab88ef281970a960f6c5431d811ff6bef77ae0 Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 16:51:28 +0530 Subject: [PATCH 15/20] add HAFNIUM detection refs --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 999fc78..1b198a7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8457,7 +8457,9 @@ "https://twitter.com/ESETresearch/status/1366862946488451088", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", + "https://github.com/microsoft/CSS-Exchange/tree/main/Security", + "https://github.com/cert-lv/exchange_webshell_detection" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 7b242555dfbd0ee23ebfb91d93c295696bd19c1b Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 13:28:14 +0530 Subject: [PATCH 16/20] More references From Crowdstrike MSRC and kql hunting query from James Quinn --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b198a7..8d07f43 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8459,7 +8459,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", - "https://github.com/cert-lv/exchange_webshell_detection" + "https://github.com/cert-lv/exchange_webshell_detection", + "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", + "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", + "https://pastebin.com/J4L3r2RS" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 6cabbfb091aa9f6c50b0e1a4b2afe800ee5f049a Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 14:22:29 +0530 Subject: [PATCH 17/20] more! --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d07f43..f5f91fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8462,7 +8462,10 @@ "https://github.com/cert-lv/exchange_webshell_detection", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", - "https://pastebin.com/J4L3r2RS" + "https://pastebin.com/J4L3r2RS", + "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", + "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 57c7d0b9a04bb95714fce32122b791e901a3b91e Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 19:44:32 +0530 Subject: [PATCH 18/20] From Nextron --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f5f91fb..49e41df 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8465,7 +8465,8 @@ "https://pastebin.com/J4L3r2RS", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", - "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server" + "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server", + "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From f6ed00233e77968ad63cd5ad09570de8e19bfe72 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Mar 2021 09:52:25 +0100 Subject: [PATCH 19/20] chg: [ransomware] fix the broken UUID fix #628 --- clusters/ransomware.json | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3af29be..08b20bc 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13411,7 +13411,7 @@ "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html" ] }, - "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2", + "uuid": "a4631cef-dc51-4bee-a51f-3f1ea75ff201", "value": "GlobeImposter" }, { @@ -13423,7 +13423,7 @@ "https://spyware-techie.com/blackworm-ransomware-removal-guide" ] }, - "uuid": "8cfa694a-2e5b-300a-727f-027d881870b2", + "uuid": "457e9a45-607e-41ef-8ad1-bf8684722445", "value": "BlackWorm" }, { @@ -13435,7 +13435,7 @@ "https://malware.wikia.org/wiki/Tellyouthepass" ] }, - "uuid": "7cfa694a-1e5b-300a-627f-027d881870b1", + "uuid": "c6ca9b44-d0cd-40c9-9d00-39e0f7bcae79", "value": "Tellyouthepass" }, { @@ -13446,7 +13446,7 @@ "https://www.2-spyware.com/remove-bigbobross-ransomware.html" ] }, - "uuid": "8cfa684a-1e4b-309a-617f-026d881870b1", + "uuid": "5d3fc33b-8e90-4d9d-8f45-f047264ce8cb", "value": "BigBobRoss" }, { @@ -13457,7 +13457,7 @@ "https://www.pcrisk.com/removal-guides/12121-planetary-ransomware" ] }, - "uuid": "6cfa664a-1e2b-329a-607f-026d781870b1", + "uuid": "7c742031-6b3d-4c3a-8b36-9154a6dc7b30", "value": "Planetary" }, { @@ -13474,7 +13474,7 @@ "Cripttor" ] }, - "uuid": "8cfa554a-1e1b-328a-606f-026d771870b1", + "uuid": "e19d92d7-cf17-4b2b-8ec2-1efc6df2fa1e", "value": "Cr1ptT0r" }, { @@ -13499,7 +13499,7 @@ "https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/" ] }, - "uuid": "6cfa554a-1e1b-327a-605f-025d761570b1", + "uuid": "d2c7fb08-293e-453b-a213-adeb79505767", "value": "Phobos" }, { @@ -13511,7 +13511,7 @@ "https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html" ] }, - "uuid": "6cfa553a-1e1b-115a-401f-015d681470b1", + "uuid": "7c9df1bd-9212-4ce3-b407-636e41bc4eea", "value": "GetCrypt" }, { @@ -13523,7 +13523,7 @@ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections" ] }, - "uuid": "6cfa554a-1e2b-115a-400f-014d671470b1", + "uuid": "5fb75933-1ed5-4512-a062-d39865eedab0", "value": "Nemty" }, { @@ -13533,7 +13533,7 @@ "https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit" ] }, - "uuid": "6cfa554a-1e1b-114a-300f-013d671370b0", + "uuid": "a92b2165-29e7-463a-b3d5-c8b7d8a25f65", "value": "Buran" }, { @@ -13543,7 +13543,7 @@ "https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/" ] }, - "uuid": "6cea5549-1d1b-111a-309f-012d671360b1", + "uuid": "25fcb177-7219-4414-b5de-8aeb2e6d146f", "value": "Hildacrypt" }, { @@ -13559,7 +13559,7 @@ "Sherminator" ] }, - "uuid": "7cea4438-1d1c-121a-30af-011d661260b2", + "uuid": "2e8aa6da-00b1-4222-b212-c48a7348893c", "value": "Mr.Dec" }, { @@ -13573,7 +13573,7 @@ "Freezing" ] }, - "uuid": "4cea4448-1d3c-111a-40af-011d461260b4", + "uuid": "9b074569-b90c-44e6-b9b2-e6e19a48118d", "value": "Freeme" }, { @@ -13585,7 +13585,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" ] }, - "uuid": "5cea5548-1e3c-222a-3faf-022d461260b5", + "uuid": "3d8989dc-9a10-4cae-ab24-ff0abed487f4", "value": "DoppelPaymer" }, { @@ -13596,7 +13596,7 @@ "https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html" ] }, - "uuid": "6cea5546-1e2c-333a-4faf-033d461360b5", + "uuid": "e5288fc1-ff2a-4992-a1fb-6a8ef612de51", "value": "Desync" }, { @@ -13609,7 +13609,7 @@ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" ] }, - "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "uuid": "5d999c23-11cf-4dee-84bb-f447a4f70dc8", "value": "Maze" }, { @@ -13642,7 +13642,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode" ] }, - "uuid": "7cea9946-1f4d-441a-4ebf-044d442454b6", + "uuid": "6f9b7c54-45fa-422c-97f0-0f0c015e3c4e", "value": "FTCode" }, { @@ -14027,5 +14027,5 @@ "value": "RansomEXX" } ], - "version": 91 + "version": 92 } From 855a12a4080b417c78b02f35f5caaf945eccf5d3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Mar 2021 09:54:50 +0100 Subject: [PATCH 20/20] chg: [clusters] fixing broken UUID fix #628 --- clusters/stealer.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 105639f..117d4f8 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -63,7 +63,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" ] }, - "uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15", + "uuid": "045ab0d5-2f08-4fcd-af47-81c1143fa5fb", "value": "Vidar" }, { @@ -74,9 +74,9 @@ "https://blog.yoroi.company/research/the-ave_maria-malware/" ] }, - "uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14", + "uuid": "f3413f6c-5c3a-4df0-bbb5-2dbdf4d68c4c", "value": "Ave Maria" } ], - "version": 6 + "version": 7 }