From c48a38c2f14adf3ed8aee105ed83b9739a7b9a13 Mon Sep 17 00:00:00 2001 From: JJ Cummings Date: Thu, 29 Oct 2020 14:40:22 -0600 Subject: [PATCH] Added a new cryptominer galaxy and additional missing recent families to various clusters --- clusters/backdoor.json | 12 ++++++- clusters/botnet.json | 14 +++++++- clusters/cryptominers.json | 44 +++++++++++++++++++++++ clusters/ransomware.json | 73 +++++++++++++++++++++++++++++++++++++- clusters/rat.json | 13 ++++++- clusters/threat-actor.json | 14 +++++++- clusters/tool.json | 35 +++++++++++++++++- galaxies/cryptominers.json | 9 +++++ 8 files changed, 208 insertions(+), 6 deletions(-) create mode 100644 clusters/cryptominers.json create mode 100644 galaxies/cryptominers.json diff --git a/clusters/backdoor.json b/clusters/backdoor.json index ab3d1cd..7ac2b34 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -118,7 +118,17 @@ ], "uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9", "value": "Speculoos" + }, + { + "description": "Mori Backdoor has been used by Seedworm.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east" + ] + }, + "uuid": "e663ac1b-9474-4f9a-b0c8-184861327dd7", + "value": "Mori Backdoor" } ], - "version": 8 + "version": 9 } diff --git a/clusters/botnet.json b/clusters/botnet.json index df6f412..cc85c70 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1169,7 +1169,19 @@ }, "uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601", "value": "Arceus" + }, + { + "description": "Mozi infects new devices through weak telnet passwords and exploitation.", + "meta": { + "refs": [ + "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", + "https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/", + "https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/" + ] + }, + "uuid": "ea2906a5-d493-4afa-b770-436c0c246c78", + "value": "Mozi" } ], - "version": 21 + "version": 22 } diff --git a/clusters/cryptominers.json b/clusters/cryptominers.json new file mode 100644 index 0000000..00fdb51 --- /dev/null +++ b/clusters/cryptominers.json @@ -0,0 +1,44 @@ +{ + "authors": [ + "Cisco Talos", + "raw-data" + ], + "category": "Cryptominers", + "description": "A list of cryptominer and cryptojacker malware.", + "name": "Cryptominers", + "source": "Open Source Intelligence", + "type": "malware", + "uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293", + "values": [ + { + "description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html", + "https://success.trendmicro.com/solution/000261916", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer", + "https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/" + ], + "synonyms": [], + "type": [ "cryptojacker" ] + }, + "uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9", + "value": "Lemon Duck" + }, + { + "description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE", + "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/", + "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry" + ], + "synonyms": [], + "type": [ "cryptojacker" ] + }, + "uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed", + "value": "WannaMine" + } + ], + "version": 1 +} \ No newline at end of file diff --git a/clusters/ransomware.json b/clusters/ransomware.json index cd8c91a..3c04293 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13857,7 +13857,78 @@ }, "uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb", "value": "Snake Ransomware" + }, + { + "description": "The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.", + "meta": { + "ransomnotes-filenames": [ + "RECOVER-FILES.txt" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg" + ], + "refs": [ + "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", + "https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/", + "https://cybersecuritynews.com/egregor-ransomware/" + ] + }, + "uuid": "8bd094a7-103f-465f-8640-18dcc53042e5", + "value": "Egregor" + }, + { + "description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.", + "meta": { + "ransomnotes-filenames": [ + "YOUR_FILES_ARE_ENCRYPTED.HTML" + ], + "ransomnotes-refs": [ + "https://www.bleepstatic.com/images/news/ransomware/s/suncrypt/maze-cartel/ransom-note.jpg" + ], + "refs": [ + "https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", + "https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/" + ] + }, + "uuid": "4fa25527-99f6-42ee-aaf2-7ca395e5fabc", + "value": "SunCrypt" + }, + { + "description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.", + "meta": { + "ransomnotes-filenames": [ + "Restore-My-Files.txt" + ], + "ransomnotes-refs": [ + "https://www.mcafee.com/wp-content/uploads/2020/04/content-in-restore-my-files.png" + ], + "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/", + "https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware" + ] + }, + "uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51", + "value": "LockBit" + }, + { + "description": "WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection.\n Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.", + "meta": { + "ransomnotes-filenames": [ + "_info" + ], + "ransomnotes-refs": [ + "https://blog.malwarebytes.com/wp-content/uploads/2020/06/ransomnote.png" + ], + "refs": [ + "https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020", + "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" + ] + }, + "uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee", + "value": "WastedLocker" } ], - "version": 86 + "version": 87 } diff --git a/clusters/rat.json b/clusters/rat.json index 9c8f5b3..a630854 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3452,7 +3452,18 @@ }, "uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f", "value": "SDBbot" + }, + { + "description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.", + "meta": { + "refs": [ + "https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil" + ], + "synonyms": [] + }, + "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867", + "value": "Guildma" } ], - "version": 34 + "version": 35 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a883be6..30d7551 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8407,7 +8407,19 @@ }, "uuid": "b205584e-db93-433a-b97a-7f2e19d8c188", "value": "XDSpy" + }, + { + "description": "Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.", + "meta": { + "refs": [ + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://en.wikipedia.org/wiki/Maksim_Yakubets", + "https://www.bbc.com/news/world-us-canada-53195749" + ] + }, + "uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8", + "value": "Evil Corp" } ], - "version": 184 + "version": 185 } diff --git a/clusters/tool.json b/clusters/tool.json index e7f7fc1..d3d388a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8142,7 +8142,40 @@ "related": [], "uuid": "a0a46c1b-e774-410e-a84b-020b2558d851", "value": "Drovorub" + }, + { + "description": "The adware DealPly (sometimes also referred to as IsErIk) and malicious Chrome extension ManageX, for instance, can come bundled under the guise of a legitimate installer and other potentially unwanted applications (PUAs). Because various write-ups cover Dealply or IsErik separately, the technical discussion and representation of both are discussed separately. ", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/" + ], + "synonyms": [ + "DealPly", + "ManageX" + ], + "type": [ + "PUA" + ] + }, + "related": [], + "uuid": "9f9daf7b-3530-4e2d-9d2c-d1036bafc825", + "value": "IsErIk" + }, + { + "description": "Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/" + ], + "type": [ + "Loader" + ] + }, + "related": [], + "uuid": "2a838144-b42d-4c12-bf41-4e99de1935e9", + "value": "Vatet" } ], - "version": 138 + "version": 139 } diff --git a/galaxies/cryptominers.json b/galaxies/cryptominers.json new file mode 100644 index 0000000..ea40c2c --- /dev/null +++ b/galaxies/cryptominers.json @@ -0,0 +1,9 @@ +{ + "description": "Cryptominers is a collection of cryptomining and cryptojacking malwares.", + "icon": "optin-monster", + "name": "Cryptominers", + "namespace": "misp", + "type": "Cryptominers", + "uuid": "917734cb-6bbf-4568-83b6-ad2b912fc5e4", + "version": 3 +} \ No newline at end of file