From 6c6355f2ba528cf33b98d8997e3ddb82a28ffde0 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 11:31:08 +0200 Subject: [PATCH 1/3] fix typo --- clusters/ransomware.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 371526c..c5164a1 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -2250,7 +2250,7 @@ "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html", "https://twitter.com/JakubKroustek/status/825790584971472902" ], - "synonyns": [ + "synonyms": [ "XCrypt" ] }, @@ -24568,5 +24568,5 @@ "value": "Maui ransomware" } ], - "version": 104 + "version": 105 } From d40017ae503139b9dbfa174eed90b56b17e031cc Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 14:03:43 +0200 Subject: [PATCH 2/3] add Qbot --- clusters/botnet.json | 37 +++++++++++++++++++++++++++++++++++++ clusters/ransomware.json | 9 +++++++++ 2 files changed, 46 insertions(+) diff --git a/clusters/botnet.json b/clusters/botnet.json index ac9d202..dc7305d 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1323,10 +1323,47 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "variant-of" + }, + { + "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908", "value": "EnemyBot" + }, + { + "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.", + "meta": { + "refs": [ + "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf" + ], + "synonyms": [ + "QakBot", + "Pinkslipbot" + ] + }, + "related": [ + { + "dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped" + } + ], + "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "value": "Qbot" } ], "version": 26 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c5164a1..8abc7f5 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -22140,6 +22140,15 @@ }, { "description": "ransomware", + "related": [ + { + "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped-by" + } + ], "uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19", "value": "ProLock" }, From b1c853bf42c0397810adc6385f17206147c9cca3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 15:51:55 +0200 Subject: [PATCH 3/3] update version --- clusters/botnet.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index dc7305d..dd9f867 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1366,5 +1366,5 @@ "value": "Qbot" } ], - "version": 26 + "version": 27 }