mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
commit
e6bae7165c
2 changed files with 62 additions and 2 deletions
|
@ -9713,12 +9713,42 @@
|
|||
]
|
||||
},
|
||||
"uuid": "5a53eec2-6993-11e8-a4d5-67480005dcbd"
|
||||
},
|
||||
{
|
||||
"value": "CryBrazil",
|
||||
"description": "Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://twitter.com/malwrhunterteam/status/1002953824590614528",
|
||||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/"
|
||||
],
|
||||
"extensions": [
|
||||
".crybrazil"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg"
|
||||
]
|
||||
},
|
||||
"uuid": "30625df6-6e3e-11e8-b0cf-a7103cb03e05"
|
||||
},
|
||||
{
|
||||
"value": "Pedcont",
|
||||
"description": "new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ "
|
||||
],
|
||||
"ransomnotes": [
|
||||
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg"
|
||||
]
|
||||
},
|
||||
"uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 "
|
||||
}
|
||||
],
|
||||
"source": "Various",
|
||||
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
||||
"name": "Ransomware",
|
||||
"version": 22,
|
||||
"version": 23,
|
||||
"type": "ransomware",
|
||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||
"name": "Tool",
|
||||
"source": "MISP Project",
|
||||
"version": 73,
|
||||
"version": 74,
|
||||
"values": [
|
||||
{
|
||||
"meta": {
|
||||
|
@ -4282,6 +4282,36 @@
|
|||
"https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e",
|
||||
"value": "InvisiMole",
|
||||
"description": "Except for the malware's binary file, very little is known of who's behind it, how it spreads, or in what types of campaigns has this been used.\n\n\"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia,\" said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.\n\n\"All infection vectors are possible, including installation facilitated by physical access to the machine,\" Hromcová added.\n\nTypical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.\n\nFurthermore, the malware is some clever piece of coding in itself, as it's comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"uuid": "f35f219a-6eed-11e8-980a-93bb96299951",
|
||||
"value": "Roaming Mantis",
|
||||
"description": "Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"uuid": "7cda6406-6eef-11e8-a2ad-9340096d5711",
|
||||
"value": "PLEAD Downloader",
|
||||
"description": "PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"authors": [
|
||||
|
|
Loading…
Reference in a new issue