Merge remote-tracking branch 'upstream/main' into threat-actors/merge-cutting-kitten-cleaver

clusters/botnet.json

@@ -1291,7 +1291,80 @@
       },
       "uuid": "3e40c1af-51f5-4b02-b189-74567125c6e0",
       "value": "Ripprbot"
+    },
+    {
+      "description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.",
+      "meta": {
+        "refs": [
+          "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot",
+          "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
+          "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        },
+        {
+          "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
+      "value": "EnemyBot"
+    },
+    {
+      "description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.",
+      "meta": {
+        "refs": [
+          "https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf"
+        ],
+        "synonyms": [
+          "QakBot",
+          "Pinkslipbot"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "dropped"
+        }
+      ],
+      "uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+      "value": "Qbot"
     }
   ],
-  "version": 25
+  "version": 27
 }

clusters/ransomware.json

@@ -2250,7 +2250,7 @@
           "https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html",
           "https://twitter.com/JakubKroustek/status/825790584971472902"
         ],
-        "synonyns": [
+        "synonyms": [
           "XCrypt"
         ]
       },
@@ -21647,7 +21647,64 @@
       "value": "MBR-ONI"
     },
     {
-      "description": "ransomware",
+      "description": "Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.",
+      "meta": {
+        "extensions": [
+          ".1btc",
+          ".matlock20",
+          ".marlock02",
+          ".readinstructions",
+          ".bec",
+          ".mylock",
+          ".jpz.nz",
+          ".marlock11",
+          ".cn",
+          ".NET1",
+          ".key1",
+          ".fileslocked",
+          ".datalock",
+          ".NZ",
+          ".lock",
+          ".lockfilesUS",
+          ".deadfilesgr",
+          ".tyco",
+          ".lockdata7",
+          ".rs",
+          ".faratak",
+          ".uslockhh",
+          ".lockfiles",
+          ".fileslock",
+          ".zoomzoom",
+          ".perfection",
+          ".marlock13",
+          "n.exe",
+          ".Readinstruction",
+          ".marlock08",
+          ".marlock25",
+          "nt_lock20",
+          ".READINSTRUCTION",
+          ".marlock6",
+          ".marlock01",
+          ".ReadInstructions"
+        ],
+        "ransomnotes-filenames": [
+          "how_to_ recover_data.html",
+          "how_to_recover_data.html.marlock01",
+          "instructions.html",
+          "READINSTRUCTION.html",
+          "!!!HOW_TO_DECRYPT!!!",
+          "How_to_recovery.txt",
+          "readinstructions.html",
+          "readme_to_recover_files",
+          "recovery_instructions.html",
+          "HOW_TO_RECOVER_DATA.html",
+          "recovery_instruction.html"
+        ],
+        "refs": [
+          "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a",
+          "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf"
+        ]
+      },
       "uuid": "627d603a-906f-4fbf-b922-f03eea4578fe",
       "value": "MedusaLocker"
     },
@@ -22083,6 +22140,15 @@
     },
     {
       "description": "ransomware",
+      "related": [
+        {
+          "dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "dropped-by"
+        }
+      ],
       "uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
       "value": "ProLock"
     },
@@ -24478,7 +24544,38 @@
       },
       "uuid": "bb6d933f-7b6d-4694-853d-1ca400f6bd8f",
       "value": "Rook"
+    },
+    {
+      "description": "HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.",
+      "meta": {
+        "date": "Nov. 30, 2021",
+        "extensions": [
+          "hello"
+        ],
+        "ransomnotes-filenames": [
+          "Hello.txt"
+        ],
+        "ransomnotes-refs": [
+          "https://unit42.paloaltonetworks.com/wp-content/uploads/2022/06/image13.png"
+        ],
+        "refs": [
+          "https://unit42.paloaltonetworks.com/helloxd-ransomware/"
+        ]
+      },
+      "uuid": "5617e6fa-4e6a-4011-9385-6b1165786563",
+      "value": "HelloXD"
+    },
+    {
+      "description": "Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.",
+      "meta": {
+        "refs": [
+          "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf",
+          "https://www.cisa.gov/uscert/ncas/alerts/aa22-187a"
+        ]
+      },
+      "uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
+      "value": "Maui ransomware"
     }
   ],
-  "version": 101
+  "version": 105
 }

tools/del_duplicate_refs.py

@@ -0,0 +1,17 @@
+#!/usr/bin/env python3
+# coding=utf-8
+"""
+    Tool to remove duplicates in cluster references
+"""
+import sys
+import json
+
+with open(sys.argv[1], 'r') as f:
+    data = json.load(f)
+
+for c in data['values']:
+    c['meta']['refs'] = list(dict.fromkeys(c['meta']['refs']))
+
+with open(sys.argv[1], 'w') as f:
+    json.dump(data, f)
+

tools/fetch_malpedia.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+cd "${0%/*}"
+wget -O malpedia.json https://malpedia.caad.fkie.fraunhofer.de/api/get/misp
+mv malpedia.json ../clusters/malpedia.json
+./del_duplicate_refs.py ../clusters/malpedia.json
+(cd ..; ./jq_all_the_things.sh)