mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
Added a new cryptominer galaxy and additional missing recent families to various clusters
This commit is contained in:
parent
b41e3d4f50
commit
c48a38c2f1
8 changed files with 208 additions and 6 deletions
|
@ -118,7 +118,17 @@
|
||||||
],
|
],
|
||||||
"uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
|
"uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
|
||||||
"value": "Speculoos"
|
"value": "Speculoos"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Mori Backdoor has been used by Seedworm.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "e663ac1b-9474-4f9a-b0c8-184861327dd7",
|
||||||
|
"value": "Mori Backdoor"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 8
|
"version": 9
|
||||||
}
|
}
|
||||||
|
|
|
@ -1169,7 +1169,19 @@
|
||||||
},
|
},
|
||||||
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
|
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
|
||||||
"value": "Arceus"
|
"value": "Arceus"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Mozi infects new devices through weak telnet passwords and exploitation.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
|
||||||
|
"https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/",
|
||||||
|
"https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "ea2906a5-d493-4afa-b770-436c0c246c78",
|
||||||
|
"value": "Mozi"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 21
|
"version": 22
|
||||||
}
|
}
|
||||||
|
|
44
clusters/cryptominers.json
Normal file
44
clusters/cryptominers.json
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{
|
||||||
|
"authors": [
|
||||||
|
"Cisco Talos",
|
||||||
|
"raw-data"
|
||||||
|
],
|
||||||
|
"category": "Cryptominers",
|
||||||
|
"description": "A list of cryptominer and cryptojacker malware.",
|
||||||
|
"name": "Cryptominers",
|
||||||
|
"source": "Open Source Intelligence",
|
||||||
|
"type": "malware",
|
||||||
|
"uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
|
||||||
|
"values": [
|
||||||
|
{
|
||||||
|
"description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
|
||||||
|
"https://success.trendmicro.com/solution/000261916",
|
||||||
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
|
||||||
|
"https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": [ "cryptojacker" ]
|
||||||
|
},
|
||||||
|
"uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
|
||||||
|
"value": "Lemon Duck"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
|
||||||
|
"https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
|
||||||
|
"https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
|
||||||
|
],
|
||||||
|
"synonyms": [],
|
||||||
|
"type": [ "cryptojacker" ]
|
||||||
|
},
|
||||||
|
"uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
|
||||||
|
"value": "WannaMine"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version": 1
|
||||||
|
}
|
|
@ -13857,7 +13857,78 @@
|
||||||
},
|
},
|
||||||
"uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb",
|
"uuid": "e390e1bb-2af1-4139-8e61-6e534d707dfb",
|
||||||
"value": "Snake Ransomware"
|
"value": "Snake Ransomware"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.",
|
||||||
|
"meta": {
|
||||||
|
"ransomnotes-filenames": [
|
||||||
|
"RECOVER-FILES.txt"
|
||||||
|
],
|
||||||
|
"ransomnotes-refs": [
|
||||||
|
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/",
|
||||||
|
"https://cybersecuritynews.com/egregor-ransomware/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",
|
||||||
|
"value": "Egregor"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.",
|
||||||
|
"meta": {
|
||||||
|
"ransomnotes-filenames": [
|
||||||
|
"YOUR_FILES_ARE_ENCRYPTED.HTML"
|
||||||
|
],
|
||||||
|
"ransomnotes-refs": [
|
||||||
|
"https://www.bleepstatic.com/images/news/ransomware/s/suncrypt/maze-cartel/ransom-note.jpg"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/",
|
||||||
|
"https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "4fa25527-99f6-42ee-aaf2-7ca395e5fabc",
|
||||||
|
"value": "SunCrypt"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.",
|
||||||
|
"meta": {
|
||||||
|
"ransomnotes-filenames": [
|
||||||
|
"Restore-My-Files.txt"
|
||||||
|
],
|
||||||
|
"ransomnotes-refs": [
|
||||||
|
"https://www.mcafee.com/wp-content/uploads/2020/04/content-in-restore-my-files.png"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/",
|
||||||
|
"https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
|
||||||
|
"value": "LockBit"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection.\n Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.",
|
||||||
|
"meta": {
|
||||||
|
"ransomnotes-filenames": [
|
||||||
|
"<encrypted_filename>_info"
|
||||||
|
],
|
||||||
|
"ransomnotes-refs": [
|
||||||
|
"https://blog.malwarebytes.com/wp-content/uploads/2020/06/ransomnote.png"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020",
|
||||||
|
"https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
|
||||||
|
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
|
||||||
|
"value": "WastedLocker"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 86
|
"version": 87
|
||||||
}
|
}
|
||||||
|
|
|
@ -3452,7 +3452,18 @@
|
||||||
},
|
},
|
||||||
"uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f",
|
"uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f",
|
||||||
"value": "SDBbot"
|
"value": "SDBbot"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil"
|
||||||
|
],
|
||||||
|
"synonyms": []
|
||||||
|
},
|
||||||
|
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
|
||||||
|
"value": "Guildma"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 34
|
"version": 35
|
||||||
}
|
}
|
||||||
|
|
|
@ -8407,7 +8407,19 @@
|
||||||
},
|
},
|
||||||
"uuid": "b205584e-db93-433a-b97a-7f2e19d8c188",
|
"uuid": "b205584e-db93-433a-b97a-7f2e19d8c188",
|
||||||
"value": "XDSpy"
|
"value": "XDSpy"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
|
||||||
|
"https://en.wikipedia.org/wiki/Maksim_Yakubets",
|
||||||
|
"https://www.bbc.com/news/world-us-canada-53195749"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8",
|
||||||
|
"value": "Evil Corp"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 184
|
"version": 185
|
||||||
}
|
}
|
||||||
|
|
|
@ -8142,7 +8142,40 @@
|
||||||
"related": [],
|
"related": [],
|
||||||
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
|
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
|
||||||
"value": "Drovorub"
|
"value": "Drovorub"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The adware DealPly (sometimes also referred to as IsErIk) and malicious Chrome extension ManageX, for instance, can come bundled under the guise of a legitimate installer and other potentially unwanted applications (PUAs). Because various write-ups cover Dealply or IsErik separately, the technical discussion and representation of both are discussed separately. ",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"DealPly",
|
||||||
|
"ManageX"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"PUA"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [],
|
||||||
|
"uuid": "9f9daf7b-3530-4e2d-9d2c-d1036bafc825",
|
||||||
|
"value": "IsErIk"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
|
||||||
|
"https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Loader"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"related": [],
|
||||||
|
"uuid": "2a838144-b42d-4c12-bf41-4e99de1935e9",
|
||||||
|
"value": "Vatet"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 138
|
"version": 139
|
||||||
}
|
}
|
||||||
|
|
9
galaxies/cryptominers.json
Normal file
9
galaxies/cryptominers.json
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{
|
||||||
|
"description": "Cryptominers is a collection of cryptomining and cryptojacking malwares.",
|
||||||
|
"icon": "optin-monster",
|
||||||
|
"name": "Cryptominers",
|
||||||
|
"namespace": "misp",
|
||||||
|
"type": "Cryptominers",
|
||||||
|
"uuid": "917734cb-6bbf-4568-83b6-ad2b912fc5e4",
|
||||||
|
"version": 3
|
||||||
|
}
|
Loading…
Reference in a new issue