Added a new cryptominer galaxy and additional missing recent families to various clusters

This commit is contained in:
JJ Cummings 2020-10-29 14:40:22 -06:00
parent b41e3d4f50
commit c48a38c2f1
No known key found for this signature in database
GPG key ID: 60DE385A0F1BD9BD
8 changed files with 208 additions and 6 deletions

View file

@ -118,7 +118,17 @@
],
"uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
"value": "Speculoos"
},
{
"description": "Mori Backdoor has been used by Seedworm.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east"
]
},
"uuid": "e663ac1b-9474-4f9a-b0c8-184861327dd7",
"value": "Mori Backdoor"
}
],
"version": 8
"version": 9
}

View file

@ -1169,7 +1169,19 @@
},
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
"value": "Arceus"
},
{
"description": "Mozi infects new devices through weak telnet passwords and exploitation.",
"meta": {
"refs": [
"https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
"https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/",
"https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/"
]
},
"uuid": "ea2906a5-d493-4afa-b770-436c0c246c78",
"value": "Mozi"
}
],
"version": 21
"version": 22
}

View file

@ -0,0 +1,44 @@
{
"authors": [
"Cisco Talos",
"raw-data"
],
"category": "Cryptominers",
"description": "A list of cryptominer and cryptojacker malware.",
"name": "Cryptominers",
"source": "Open Source Intelligence",
"type": "malware",
"uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
"values": [
{
"description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
"https://success.trendmicro.com/solution/000261916",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
"https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
],
"synonyms": [],
"type": [ "cryptojacker" ]
},
"uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
"value": "Lemon Duck"
},
{
"description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
"https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
"https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
],
"synonyms": [],
"type": [ "cryptojacker" ]
},
"uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
"value": "WannaMine"
}
],
"version": 1
}

View file

@ -13857,7 +13857,78 @@
},
"uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb",
"value": "Snake Ransomware"
},
{
"description": "The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.",
"meta": {
"ransomnotes-filenames": [
"RECOVER-FILES.txt"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg"
],
"refs": [
"https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
"https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/",
"https://cybersecuritynews.com/egregor-ransomware/"
]
},
"uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",
"value": "Egregor"
},
{
"description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomwares cartel. It also follows some of Mazes tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.",
"meta": {
"ransomnotes-filenames": [
"YOUR_FILES_ARE_ENCRYPTED.HTML"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/ransomware/s/suncrypt/maze-cartel/ransom-note.jpg"
],
"refs": [
"https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware",
"https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/",
"https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/"
]
},
"uuid": "4fa25527-99f6-42ee-aaf2-7ca395e5fabc",
"value": "SunCrypt"
},
{
"description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.",
"meta": {
"ransomnotes-filenames": [
"Restore-My-Files.txt"
],
"ransomnotes-refs": [
"https://www.mcafee.com/wp-content/uploads/2020/04/content-in-restore-my-files.png"
],
"refs": [
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/",
"https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware"
]
},
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"value": "LockBit"
},
{
"description": "WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection.\n Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.",
"meta": {
"ransomnotes-filenames": [
"<encrypted_filename>_info"
],
"ransomnotes-refs": [
"https://blog.malwarebytes.com/wp-content/uploads/2020/06/ransomnote.png"
],
"refs": [
"https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020",
"https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"
]
},
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
"value": "WastedLocker"
}
],
"version": 86
"version": 87
}

View file

@ -3452,7 +3452,18 @@
},
"uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f",
"value": "SDBbot"
},
{
"description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildmas modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.",
"meta": {
"refs": [
"https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil"
],
"synonyms": []
},
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
"value": "Guildma"
}
],
"version": 34
"version": 35
}

View file

@ -8407,7 +8407,19 @@
},
"uuid": "b205584e-db93-433a-b97a-7f2e19d8c188",
"value": "XDSpy"
},
{
"description": "Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.",
"meta": {
"refs": [
"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
"https://en.wikipedia.org/wiki/Maksim_Yakubets",
"https://www.bbc.com/news/world-us-canada-53195749"
]
},
"uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8",
"value": "Evil Corp"
}
],
"version": 184
"version": 185
}

View file

@ -8142,7 +8142,40 @@
"related": [],
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
"value": "Drovorub"
},
{
"description": "The adware DealPly (sometimes also referred to as IsErIk) and malicious Chrome extension ManageX, for instance, can come bundled under the guise of a legitimate installer and other potentially unwanted applications (PUAs). Because various write-ups cover Dealply or IsErik separately, the technical discussion and representation of both are discussed separately. ",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/"
],
"synonyms": [
"DealPly",
"ManageX"
],
"type": [
"PUA"
]
},
"related": [],
"uuid": "9f9daf7b-3530-4e2d-9d2c-d1036bafc825",
"value": "IsErIk"
},
{
"description": "Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
"https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/"
],
"type": [
"Loader"
]
},
"related": [],
"uuid": "2a838144-b42d-4c12-bf41-4e99de1935e9",
"value": "Vatet"
}
],
"version": 138
"version": 139
}

View file

@ -0,0 +1,9 @@
{
"description": "Cryptominers is a collection of cryptomining and cryptojacking malwares.",
"icon": "optin-monster",
"name": "Cryptominers",
"namespace": "misp",
"type": "Cryptominers",
"uuid": "917734cb-6bbf-4568-83b6-ad2b912fc5e4",
"version": 3
}