From 8836dfdc164e9575b45ed1500d67c63aaac1ce3f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 13 Dec 2017 15:51:24 +0100 Subject: [PATCH 1/3] add Quant Loader --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ab009de..c8f91e9 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 41, + "version": 42, "values": [ { "meta": { @@ -3114,6 +3114,16 @@ "https://www.group-ib.com/blog/moneytaker" ] } + }, + { + "value": "Quant Loader", + "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums:", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", + "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" + ] + } } ] } From a2deaed93525323bb70f9cb86570f09af962ebad Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 14 Dec 2017 10:58:29 +0100 Subject: [PATCH 2/3] add cryptomix variant --- clusters/ransomware.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 7b2cdea..1b50550 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5022,7 +5022,8 @@ ".EMPTY", ".0000", ".XZZX", - ".TEST" + ".TEST", + ".WORK" ], "ransomnotes": [ "HELP_YOUR_FILES.html (CryptXXX)", @@ -5034,7 +5035,8 @@ "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nempty01@techmail.info\n\nempty02@yahooweb.co\n\nempty003@protonmail.com\n\nWe will help You as soon as possible!\n\nDECRYPT-ID-[id] number", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]", "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number", - "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number" + "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number", + "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number" ], "refs": [ "http://www.nyxbone.com/malware/CryptoMix.html", @@ -5043,7 +5045,8 @@ "https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/", - "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/" + "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/", + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" ] } }, From 901d624a520d185ccf69f6cd1e801d84a3039102 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 14 Dec 2017 11:37:05 +0100 Subject: [PATCH 3/3] add SSHDoor --- clusters/tool.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index c8f91e9..5a2624c 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 42, + "version": 43, "values": [ { "meta": { @@ -3117,13 +3117,22 @@ }, { "value": "Quant Loader", - "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums:", + "description": "Described as a \"professional exe loader / dll dropper\" Quant Loader is in fact a very basic trojan downloader. It began being advertised on September 1, 2016 on various Russian underground forums.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" ] } + }, + { + "value": "SSHDoor", + "description": "The Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used in the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here, Linux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via either an hardcoded password or SSH key.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" + ] + } } ] }