From d40017ae503139b9dbfa174eed90b56b17e031cc Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 12 Jul 2022 14:03:43 +0200 Subject: [PATCH] add Qbot --- clusters/botnet.json | 37 +++++++++++++++++++++++++++++++++++++ clusters/ransomware.json | 9 +++++++++ 2 files changed, 46 insertions(+) diff --git a/clusters/botnet.json b/clusters/botnet.json index ac9d202..dc7305d 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -1323,10 +1323,47 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "variant-of" + }, + { + "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908", "value": "EnemyBot" + }, + { + "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.", + "meta": { + "refs": [ + "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf" + ], + "synonyms": [ + "QakBot", + "Pinkslipbot" + ] + }, + "related": [ + { + "dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped" + } + ], + "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "value": "Qbot" } ], "version": 26 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c5164a1..8abc7f5 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -22140,6 +22140,15 @@ }, { "description": "ransomware", + "related": [ + { + "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "dropped-by" + } + ], "uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19", "value": "ProLock" },