From c17a2aa7cc812a04ce66f7ea0a42c7538518782a Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 13 Jun 2018 10:39:11 +0200 Subject: [PATCH 1/3] add some clusters --- clusters/ransomware.json | 30 ++++++++++++++++++++++++++++++ clusters/tool.json | 10 ++++++++++ 2 files changed, 40 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f4e1b1c..c1737b6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9713,6 +9713,36 @@ ] }, "uuid": "5a53eec2-6993-11e8-a4d5-67480005dcbd" + }, + { + "value": "CryBrazil", + "description": "Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?", + "meta": { + "refs": [ + "https://twitter.com/malwrhunterteam/status/1002953824590614528", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/" + ], + "extensions": [ + ".crybrazil" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/crybrazil.jpg" + ] + }, + "uuid": "30625df6-6e3e-11e8-b0cf-a7103cb03e05" + }, + { + "value": "Pedcont", + "description": "new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ " + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/june/8/De00yEDVQAE_p9z[1].jpg" + ] + }, + "uuid": "b0e074fc-6e45-11e8-8366-dbfc88552a23 " } ], "source": "Various", diff --git a/clusters/tool.json b/clusters/tool.json index 039b36c..64d2a4f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4282,6 +4282,16 @@ "https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/" ] } + }, + { + "uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e", + "value": "InvisiMole", + "description": "Except for the malware's binary file, very little is known of who's behind it, how it spreads, or in what types of campaigns has this been used.\n\n\"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia,\" said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.\n\n\"All infection vectors are possible, including installation facilitated by physical access to the machine,\" Hromcová added.\n\nTypical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.\n\nFurthermore, the malware is some clever piece of coding in itself, as it's comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/" + ] + } } ], "authors": [ From cef7d02622a7da323f50b5dcfb76c29e98c46cee Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 13 Jun 2018 11:06:31 +0200 Subject: [PATCH 2/3] update version --- clusters/ransomware.json | 2 +- clusters/tool.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index c1737b6..80e617a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9748,7 +9748,7 @@ "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 22, + "version": 23, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" } diff --git a/clusters/tool.json b/clusters/tool.json index 64d2a4f..9dc8241 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2,7 +2,7 @@ "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "name": "Tool", "source": "MISP Project", - "version": 73, + "version": 74, "values": [ { "meta": { From 4ac23483b90301bcc72799158990cf0d29155077 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 13 Jun 2018 11:54:50 +0200 Subject: [PATCH 3/3] add some tools --- clusters/tool.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 9dc8241..5593653 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4292,6 +4292,26 @@ "https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/" ] } + }, + { + "uuid": "f35f219a-6eed-11e8-980a-93bb96299951", + "value": "Roaming Mantis", + "description": "Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version.", + "meta": { + "refs": [ + "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" + ] + } + }, + { + "uuid": "7cda6406-6eef-11e8-a2ad-9340096d5711", + "value": "PLEAD Downloader", + "description": "PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.", + "meta": { + "refs": [ + "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" + ] + } } ], "authors": [