From 9e30ff13450ad7385426e807d0ef60f9fb610e6f Mon Sep 17 00:00:00 2001 From: Kafeine Date: Mon, 19 Mar 2018 09:23:27 +0000 Subject: [PATCH 1/5] +Glazunov --- clusters/exploit-kit.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 21a9415..f17bf7b 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -319,6 +319,16 @@ ], "status": "Retired - Last seen: middle of 2015-04" } + }, + { + "value": "Glazunov", + "description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit", + "meta": { + "refs": [ + "https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/" + ], + "status": "Retired - Last seen: maybe end of 2013" + } }, { "value": "GrandSoft", From 6c7d0f8684d6acd75370db6eec927218d1b53c67 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Mon, 26 Mar 2018 18:05:14 +0100 Subject: [PATCH 2/5] +ThreadKit --- clusters/exploit-kit.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index f17bf7b..862843b 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -116,6 +116,16 @@ "status": "Active" } }, + { + "value": "ThreadKit", + "description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware" + ], + "status": "Active" + } + }, { "value": "RIG", "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", From 178d5219c7fd8c58078b884f070eafc3b55fed25 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Wed, 6 Jun 2018 18:00:25 +0100 Subject: [PATCH 3/5] guuid & + VenomKit --- clusters/exploit-kit.json | 181 ++++++++++++++++++++++++-------------- 1 file changed, 115 insertions(+), 66 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 862843b..3d798a9 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -12,14 +12,16 @@ "Stegano EK" ], "status": "Active" - } + }, + "uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e" }, { "value": "Bingo", "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", "meta": { "status": "Active" - } + }, + "uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9" }, { "value": "Terror EK", @@ -33,7 +35,8 @@ "Neptune EK" ], "status": "Active" - } + }, + "uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9" }, { "value": "DealersChoice", @@ -48,7 +51,8 @@ "Sednit RTF EK" ], "status": "Active" - } + }, + "uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7" }, { "value": "DNSChanger", @@ -62,7 +66,8 @@ "RouterEK" ], "status": "Active" - } + }, + "uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1" }, { "value": "Disdain", @@ -72,7 +77,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" ], "status": "Active" - } + }, + "uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96" }, { "value": "Kaixin", @@ -86,7 +92,8 @@ "CK vip" ], "status": "Active" - } + }, + "uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88" }, { "value": "Magnitude", @@ -103,7 +110,8 @@ "TopExp" ], "status": "Active" - } + }, + "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1" }, { "value": "MWI", @@ -114,9 +122,10 @@ "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" ], "status": "Active" - } + }, + "uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324" }, - { + { "value": "ThreadKit", "description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017", "meta": { @@ -124,7 +133,19 @@ "https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware" ], "status": "Active" - } + }, + "uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc" + }, + { + "value": "VenomKit", + "description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"", + "meta": { + "refs": [ + "" + ], + "status": "Active" + }, + "uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc" }, { "value": "RIG", @@ -143,7 +164,8 @@ "Meadgive" ], "status": "Active" - } + }, + "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a" }, { "value": "Sednit EK", @@ -157,7 +179,8 @@ "SedKit" ], "status": "Active" - } + }, + "uuid": "c8b9578a-78be-420c-a29b-9214d09685c8" }, { "value": "Sundown-P", @@ -171,7 +194,8 @@ "CaptainBlack" ], "status": "Active" - } + }, + "uuid": "3235ae90-598b-45dc-b336-852817b271a8" }, { "value": "Bizarro Sundown", @@ -185,7 +209,8 @@ "Sundown-b" ], "status": "Retired" - } + }, + "uuid": "ef3b170e-3fbe-420b-b202-4689da137c50" }, { "value": "Hunter", @@ -198,7 +223,8 @@ "3ROS Exploit Kit" ], "status": "Retired - Last seen 2017-02-06" - } + }, + "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c" }, { "value": "GreenFlash Sundown", @@ -211,7 +237,8 @@ "Sundown-GF" ], "status": "Active" - } + }, + "uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2" }, { "value": "Angler", @@ -228,7 +255,8 @@ "Axpergle" ], "status": "Retired - Last seen: 2016-06-07" - } + }, + "uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90" }, { "value": "Archie", @@ -238,7 +266,8 @@ "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" ], "status": "Retired" - } + }, + "uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1" }, { "value": "BlackHole", @@ -252,7 +281,8 @@ "BHEK" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53" }, { "value": "Bleeding Life", @@ -267,7 +297,8 @@ "BL2" ], "status": "Retired" - } + }, + "uuid": "5abe6240-dce2-4455-8125-ddae2e651243" }, { "value": "Cool", @@ -283,7 +314,8 @@ "Styxy Cool" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb" }, { "value": "Fiesta", @@ -298,7 +330,8 @@ "Fiexp" ], "status": "Retired - Last Seen: beginning of 2015-07" - } + }, + "uuid": "f50f860a-d795-4f4e-a170-8190f65499ad" }, { "value": "Empire", @@ -311,7 +344,8 @@ "RIG-E" ], "status": "Retired - Last seen: 2016-12-29" - } + }, + "uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86" }, { "value": "FlashPack", @@ -328,17 +362,8 @@ "Vintage Pack" ], "status": "Retired - Last seen: middle of 2015-04" - } - }, - { - "value": "Glazunov", - "description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit", - "meta": { - "refs": [ - "https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/" - ], - "status": "Retired - Last seen: maybe end of 2013" - } + }, + "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1" }, { "value": "GrandSoft", @@ -354,7 +379,8 @@ "SofosFO" ], "status": "Active" - } + }, + "uuid": "180b6969-2aca-4642-b684-b57db8f0eff8" }, { "value": "HanJuan", @@ -367,7 +393,8 @@ "https://twitter.com/kafeine/status/562575744501428226" ], "status": "Retired - Last seen: 2015-07" - } + }, + "uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614" }, { "value": "Himan", @@ -380,7 +407,8 @@ "High Load" ], "status": "Retired - Last seen: 2014-04" - } + }, + "uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b" }, { "value": "Impact", @@ -390,7 +418,8 @@ "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" ], "status": "Retired" - } + }, + "uuid": "319357b4-3041-4a71-89c5-51be08041d1b" }, { "value": "Infinity", @@ -405,7 +434,8 @@ "Goon" ], "status": "Retired - Last seen: 2014-07" - } + }, + "uuid": "4b858835-7b31-4b94-8144-b5175da1551f" }, { "value": "Lightsout", @@ -417,7 +447,8 @@ "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" ], "status": "Unknown - Last seen: 2014-03" - } + }, + "uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1" }, { "value": "Nebula", @@ -427,7 +458,8 @@ "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" ], "status": "Retired - Last seen 2017-03-09" - } + }, + "uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad" }, { "value": "Neutrino", @@ -443,7 +475,8 @@ "Neutrino-v" ], "status": "Retired - Last seen 2017-04-10" - } + }, + "uuid": "218ae39b-2f92-4355-91c6-50cce319d26d" }, { "value": "Niteris", @@ -457,7 +490,8 @@ "CottonCastle" ], "status": "Unknown - Last seen: 2015-11" - } + }, + "uuid": "b344133f-e223-4fda-8fb2-88ad7999e549" }, { "value": "Nuclear", @@ -473,7 +507,8 @@ "Neclu" ], "status": "Retired - Last seen: 2015-04-30" - } + }, + "uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d" }, { "value": "Phoenix", @@ -487,7 +522,8 @@ "PEK" ], "status": "Retired" - } + }, + "uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d" }, { "value": "Private Exploit Pack", @@ -501,7 +537,8 @@ "PEP" ], "status": "Retired" - } + }, + "uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3" }, { "value": "Redkit", @@ -513,7 +550,8 @@ "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" ], "status": "Retired" - } + }, + "uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c" }, { "value": "Sakura", @@ -523,19 +561,25 @@ "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" ], "status": "Retired - Last seen: 2013-09" - } + }, + "uuid": "12af9112-3ac5-4422-858e-a22c293c6117" + }, + { + "value": "SPL", + "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", + "meta": { + "refs": [ + "http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/" + ], + "status": "Retired - Last seen: 2015-04", + "synonyms": [ + "SPL_Data", + "SPLNet", + "SPL2" + ] + }, + "uuid": "15936d30-c151-4051-835e-df327143ce76" }, - { - "value": "SPL", - "description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV", - "meta": { - "refs": ["http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/"], - "status": "Retired - Last seen: 2015-04", - "synonyms": ["SPL_Data", - "SPLNet", - "SPL2"], - } - }, { "value": "Sundown", "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", @@ -551,7 +595,8 @@ ], "status": "Retired - Last seen 2017-03-08", "colour": "#C03701" - } + }, + "uuid": "670e28c4-001a-4ba4-b276-441620225123" }, { "value": "Sweet-Orange", @@ -565,7 +610,8 @@ "Anogre" ], "status": "Retired - Last seen: 2015-04-05" - } + }, + "uuid": "222bc508-4d8d-4972-9cac-65192cfefd43" }, { "value": "Styx", @@ -577,7 +623,8 @@ "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" ], "status": "Retired - Last seen: 2014-06" - } + }, + "uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0" }, { "value": "WhiteHole", @@ -587,7 +634,8 @@ "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" ], "status": "Retired - Last seen: 2013-12" - } + }, + "uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370" }, { "value": "Unknown", @@ -598,10 +646,11 @@ "https://twitter.com/node5", "https://twitter.com/kahusecurity" ] - } + }, + "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2" } ], - "version": 5, + "version": 7, "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "authors": [ From 52f0858ef50363a114f9c8456f3850d0f5b3c4be Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 7 Jun 2018 10:31:58 +0100 Subject: [PATCH 4/5] + Glazunov --- clusters/exploit-kit.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 3d798a9..57bf3d5 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -364,7 +364,17 @@ "status": "Retired - Last seen: middle of 2015-04" }, "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1" - }, + }, + { + "value": "Glazunov", + "description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit", + "meta": { + "refs": [ + "https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/" + ], + "status": "Retired - Last seen: maybe end of 2013" + }, + "uuid": "897374fa-6a35-11e8-adc0-fa7ae01bbebc" { "value": "GrandSoft", "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017", From 25d21204fb371dfe35494f64c08658cfd7c579f8 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 7 Jun 2018 10:34:55 +0100 Subject: [PATCH 5/5] fix --- clusters/exploit-kit.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 57bf3d5..aabaf7d 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -375,6 +375,7 @@ "status": "Retired - Last seen: maybe end of 2013" }, "uuid": "897374fa-6a35-11e8-adc0-fa7ae01bbebc" + }, { "value": "GrandSoft", "description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017",