From 14444e4321fa0bc91d9857ee466cb7f215794583 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 8 Nov 2018 10:39:32 +0100 Subject: [PATCH 1/2] add several tools and refs --- clusters/rat.json | 8 +++++--- clusters/threat-actor.json | 8 +++++--- clusters/tool.json | 23 ++++++++++++++++++++--- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index 1612b6e..a69212b 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -286,7 +286,8 @@ "refs": [ "https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf", "https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml", - "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat" + "https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "UNRECOM", @@ -724,7 +725,8 @@ "date": "2014", "refs": [ "https://github.com/quasar/QuasarRAT", - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/" + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ] }, "related": [ @@ -3278,5 +3280,5 @@ "value": "NukeSped" } ], - "version": 20 + "version": 21 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9574a5c..4c78add 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -105,7 +105,8 @@ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", - "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" + "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "C0d0so", @@ -995,7 +996,8 @@ "country": "CN", "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", - "https://www.cfr.org/interactive/cyber-operations/apt-10" + "https://www.cfr.org/interactive/cyber-operations/apt-10", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "APT10", @@ -5999,5 +6001,5 @@ "value": "EvilTraffic" } ], - "version": 76 + "version": 77 } diff --git a/clusters/tool.json b/clusters/tool.json index ed2b83b..4a2b1fb 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -677,7 +677,8 @@ "meta": { "refs": [ "https://github.com/gentilkiwi/mimikatz", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "Mikatz" @@ -2049,9 +2050,15 @@ "value": "Hoardy" }, { + "description": "HUC Packet Transmitter (HTran) is a proxy tool, used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker's communications with victim networks. The tool has been freely available on the internet since at least 2009.\nHTran facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network", "meta": { "refs": [ - "http://www.secureworks.com/research/threats/htran/" + "http://www.secureworks.com/research/threats/htran/", + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" + ], + "synonyms": [ + "HUC Packet Transmitter", + "HTran" ] }, "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697", @@ -7384,7 +7391,17 @@ }, "uuid": "9972d4c4-d6c6-11e8-867e-87b4a45aa76d", "value": "August" + }, + { + "description": "China Chopper is a publicly available, well-documented web shell, in widespread use since 2012.", + "meta": { + "refs": [ + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" + ] + }, + "uuid": "1ac4a966-0c74-46d5-b7e1-a40f4c681bc8", + "value": "China Chopper" } ], - "version": 98 + "version": 99 } From 46dba06e404332eb384e519d620effae552e1df4 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 9 Nov 2018 16:34:00 +0100 Subject: [PATCH 2/2] add/update ransomawares --- clusters/ransomware.json | 86 +++++++++++++++++++++++++++++++++++----- 1 file changed, 76 insertions(+), 10 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 99d21da..93d5430 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -2910,7 +2910,8 @@ ".FOX", ".EMAN50", ".GMAN", - ".NOBAD" + ".NOBAD", + ".ITLOCK" ], "ransomnotes": [ "https://4.bp.blogspot.com/-RGHgroHt5cU/WEUWnFBn2hI/AAAAAAAACYA/zwSf7rmfWdo4ESQ8kjwj6mJrfzL2V22mgCLcB/s1600/note-eng.png", @@ -2929,7 +2930,8 @@ "!README_GMAN!.rtf", "#README_EMAN50#.rtf", "https://pbs.twimg.com/media/Do_pn7bX0AYh1F-.jpg", - "#NOBAD_README#.rtf" + "#NOBAD_README#.rtf", + "!ITLOCK_README!.rtf" ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/", @@ -2941,7 +2943,9 @@ "https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", "https://twitter.com/demonslay335/status/1049314118409306112", - "https://twitter.com/demonslay335/status/1050118985210048512" + "https://twitter.com/demonslay335/status/1050118985210048512", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", + "https://twitter.com/demonslay335/status/1039907030570598400" ], "synonyms": [ "Malta Ransomware", @@ -3282,7 +3286,8 @@ ".bip", ".id-BCBEF350.[Beamsell@qq.com].bip", ".boost", - ".[Darknes@420blaze.it].waifu" + ".[Darknes@420blaze.it].waifu", + ".brrr" ], "ransomnotes": [ "README.txt", @@ -3294,7 +3299,11 @@ "all your data has been locked us\nYou want to return?\nwrite email paymentbtc@firemail.cc", "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc\nWrite this ID in the title of your message ACBFF130\nIn case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.\nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)\nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.\nhttps://localbitcoins.com/buy_bitcoins\nAlso you can find other places to buy Bitcoins and beginners guide here:\nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/\nAttention!\nDo not rename encrypted files.\nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", "all your data has been locked us\nYou want to return?\nwrite email Beamsell@qq.com", - "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam." + "All your files have been encrypted!\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com\nWrite this ID in the title of your message BCBEF350\nIn case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. \nFree decryption as guarantee\nBefore paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) \nHow to obtain Bitcoins\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. \nhttps://localbitcoins.com/buy_bitcoins \nAlso you can find other places to buy Bitcoins and beginners guide here: \nhttp://www.coindesk.com/information/how-can-i-buy-bitcoins/ \nAttention!\nDo not rename encrypted files. \nDo not try to decrypt your data using third party software, it may cause permanent data loss.\nDecryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.", + "Info.hta", + "FILES ENCRYPTED.txt", + "https://pbs.twimg.com/media/Dmof_FiXsAAAvTN.jpg", + "https://pbs.twimg.com/media/Dmof_FyXsAEJmgQ.jpg" ], "refs": [ "https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html", @@ -3302,7 +3311,9 @@ "https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", - "https://twitter.com/demonslay335/status/1049313390097813504" + "https://twitter.com/demonslay335/status/1049313390097813504", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", + "https://twitter.com/JakubKroustek/status/1038680437508501504" ] }, "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", @@ -9991,17 +10002,22 @@ ".fastrecovery@airmail.cc", ".files-xmail@cock.li.TXT", ".leen", - ".qweuirtksd" + ".qweuirtksd", + ".mammon", + ".omerta", + ".bomber" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", "HOW TO RECOVER ENCRYPTED FILES-fastrecovery@airmail.cc.TXT", + "HOW TO RECOVER ENCRYPTED FILES.TXT", "Attention: if you do not have money then you do not need to write to us!\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\n====================================================================================================\n fastrecovery@airmail.cc\n====================================================================================================\nYour files are encrypted!\nYour personal identifier:\n[redacted hex]\n====================================================================================================\nTo decrypt files, please contact us by email:\nfastrecovery@airmail.cc\n====================================================================================================\nThe file is encrypted with the RSA-2048 algorithm, only we can decrypt the file.\nAttention: if you do not have money then you do not need to write to us!", "INSTRUCTIONS FOR RESTORING FILES.TXT", "Your files are now encrypted!\n\nYour personal identifier:\n[redacted hex]\n\nAll your files have been encrypted due to a security problem with your PC.\n\nNow you should send us email with your personal identifier.\nThis email will be as confirmation you are ready to pay for decryption key.\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us.\nAfter payment we will send you the decryption tool that will decrypt all your files.\n\nContact us using this email address: mr.leen@protonmail.com\n\nFree decryption as guarantee!\nBefore paying you can send us up to 3 files for free decryption.\nThe total size of files must be less than 10Mb (non archived), and files should not contain\nvaluable information (databases, backups, large excel sheets, etc.).\n\nHow to obtain Bitcoins?\n * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click\n 'Buy bitcoins', and select the seller by payment method and price:\n https://localbitcoins.com/buy_bitcoins\n * Also you can find other places to buy Bitcoins and beginners guide here:\n http://www.coindesk.com/information/how-can-i-buy-bitcoins\n\nAttention! \n * Do not rename encrypted files.\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\n * Decryption of your files with the help of third parties may cause increased price\n (they add their fee to our) or you can become a victim of a scam.", "!!!ReadMeToDecrypt.txt", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n\n It's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n\n To do this, send me several encrypted files to kathi.bell.1997@outlook.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48 from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1Ne5yGtfycobLgXZn5WSN5jmGbVRyTUf48\nAfter payment, send me a letter to kathi.bell.1997@outlook.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at kathi.bell.1997@outlook.com\n\n As a bonus, I will tell you how hacked your computer is and how to protect it in the future.", - "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future." + "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -10013,7 +10029,8 @@ "https://twitter.com/demonslay335/status/1006908267862396928", "https://twitter.com/demonslay335/status/1007694117449682945", "https://twitter.com/demonslay335/status/1049316344183836672", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", + "https://twitter.com/Amigo_A_/status/1039105453735784448" ] }, "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4", @@ -11114,6 +11131,9 @@ { "description": "The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it. ", "meta": { + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/" @@ -11222,7 +11242,53 @@ }, "uuid": "f251740b-1594-460a-a378-371f3a2ae92c", "value": "garrantydecrypt" + }, + { + "description": "Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.", + "meta": { + "extensions": [ + ".mvp" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/mvp.jpg" + ], + "refs": [ + "https://twitter.com/siri_urz/status/1039077365039673344", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/" + ] + }, + "uuid": "ea643bfd-613e-44d7-9408-4991d53e08fa", + "value": "MVP Ransomware" + }, + { + "description": "Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.", + "meta": { + "ransomnotes": [ + "read_me_for_recover_your_files.txt", + "All your important files on this device have been encrypted.\n\nNo one can decrypt your files except us.\n\nIf you want to recover all your files. contact us via E-mail.\nDON'T forget to send us your ID!!!\n\nTo recover your files,You have to pay 0.8 bitcoin.\n\n\n\n\nContact Email : Leviathan13@protonmail.com\n\nYour ID :\n\n[redacted 0x200 bytes in base64 form]\n\n\nFree decryption as guarantee\n\nIf you can afford the specified amount of bitcoin,\nyou can send to us up to 2 files for demonstration.\n\nPlease note that files must NOT contain valuable information\nand their total size must be less than 2Mb." + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", + "" + ] + }, + "uuid": "3675e50d-3f76-45f8-b3f3-4a645779e14d", + "value": "StorageCrypter" + }, + { + "description": "GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension", + "meta": { + "extensions": [ + ".CQScSFy" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", + "https://twitter.com/GrujaRS/status/1040677247735279616" + ] + }, + "uuid": "e90a57b5-cd17-4dce-b83f-d007053c7b35", + "value": "Rektware" } ], - "version": 41 + "version": 42 }