From 5a725e71ef612a54f140d7f1865d74953241d358 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 6 Dec 2018 16:13:51 +0100 Subject: [PATCH 1/3] add several clusters --- clusters/ransomware.json | 63 +++++++++++++++++++++++++++++++++++--- clusters/threat-actor.json | 4 ++- clusters/tool.json | 12 +++++++- 3 files changed, 73 insertions(+), 6 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d185cf0..b6f70d2 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3292,7 +3292,10 @@ ".tron", ".AUDIT", ".cccmn", - ".fire" + ".fire", + ".myjob", + ".[cyberwars@qq.com].war", + ".risk" ], "ransomnotes": [ "README.txt", @@ -10015,7 +10018,9 @@ ".mammon", ".omerta", ".bomber", - ".CRYPTO" + ".CRYPTO", + ".lolita", + ".stevenseagal@airmail.cc" ], "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT", @@ -10027,7 +10032,9 @@ "!!!ReadMeToDecrypt.txt", "Attention, all your files are encrypted with the AES cbc-128 algorithm!\n \nIt's not a virus like WannaCry and others, I hacked your computer,\nThe encryption key and bitcoin wallet are unique to your computer,\nso you are guaranteed to be able to return your files.\n \nBut before you pay, you can make sure that I can really decrypt any of your files.\n \nTo do this, send me several encrypted files to cyrill.fedor0v@yandex.com, a maximum of 5 megabytes each, I will decrypt them\nand I will send you back. No more than 5 files. Do not forget to send in the letter bitcoin address 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u from this file.\n \nAfter that, pay the decryption in the amount of 500$ to the bitcoin address: 1BhHZxek7iUTm1mdrgax6yVrPzViqLhr9u\nAfter payment, send me a letter to cyrill.fedor0v@yandex.com with payment notification.\nOnce payment is confirmed, I will send you a decryption program.\n \nYou can pay bitcoins online in many ways:\nhttps://buy.blockexplorer.com/ - payment by bank card\nhttps://www.buybitcoinworldwide.com/\nhttps://localbitcoins.net\n \nAbout Bitcoins:\nhttps://en.wikipedia.org/wiki/Bitcoin\n\n If you have any questions, write to me at cyrill.fedor0v@yandex.com\n \nAs a bonus, I will tell you how hacked your computer is and how to protect it in the future.", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/september/14/Scarab-ransomware.jpg", - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/23/DsnFZrGX4AE2H1c[1].jpg", + "_How to restore files.TXT", + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds8PMFpW0AIcYuJ[1].jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", @@ -11448,7 +11455,55 @@ }, "uuid": "7f82fb04-1bd2-40a1-9baa-895b53c6f7d4", "value": "DeLpHiMoRix" + }, + { + "description": "@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.", + "meta": { + "extensions": [ + ".PERSONAL_ID:.Nuclear" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/november/30/Ds4IYbfWsAECNuJ[1].jpg", + "https://pbs.twimg.com/media/Ds4IKL3X4AIHKrj.jpg", + "https://pbs.twimg.com/media/Ds4IYbfWsAECNuJ.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/", + "https://twitter.com/GrujaRS/status/1066799421080461312", + "https://www.youtube.com/watch?v=_aaFon7FVbc" + ] + }, + "uuid": "950d5501-b5eb-4f53-b33d-76e789912c16", + "value": "EnyBeny Nuclear Ransomware" + }, + { + "description": "Michael Gillespie discovered a new ransomware that renamed encrypted files to \"[[email]][original].[random].lucky\" and drops a ransom note named _How_To_Decrypt_My_File_.txt.", + "meta": { + "extensions": [ + "[]..lucky" + ], + "ransomnotes": [ + "_How_To_Decrypt_My_File_.txt", + "I am sorry to tell you.\nSome files has crypted\nif you want your files back , send 1 bitcoin to my wallet\nmy wallet address : 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd\nIf you have any questions, please contact us.\n\nEmail:[nmare@cock.li]" + ], + "refs": [ + "https://twitter.com/demonslay335/status/1067109661076262913", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/" + ] + }, + "uuid": "a8eb9743-dfb6-4e13-a95e-e68153df94e9", + "value": "Lucky Ransomware" + }, + { + "description": "Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/" + ] + }, + "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5", + "value": "WeChat Ransom" } ], - "version": 44 + "version": 45 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 33489c7..1c00c97 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -563,7 +563,9 @@ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" ], "synonyms": [ - "Operation Tropic Trooper" + "Operation Tropic Trooper", + "Operation TropicTrooper", + "TropicTrooper" ] }, "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89", diff --git a/clusters/tool.json b/clusters/tool.json index 89463f0..afc3b36 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7433,7 +7433,17 @@ }, "uuid": "43dec915-2511-4275-8007-685402ffab08", "value": "Rotexy" + }, + { + "description": "A recently discovered cryptomining operation forces access to Windows servers to use their CPU cycles for mining Monero coins. Detected six months ago, the activity went through multiple stages of evolution.\nSince it was spotted in mid-June, the malware received two updates and the number of attacks keeps increasing.\nThe researchers at CheckPoint analyzed the new threat and gave it the name KingMiner. They found that it targets Microsoft IIS and SQL Servers in particular and runs a brute-force attack to gain access. Once in, the malware determines the CPU architecture and checks for older versions of itself to remove them.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-kingminer-threat-shows-cryptominer-evolution/" + ] + }, + "uuid": "a9467439-48d8-4f68-9519-560bb6430f0c", + "value": "KingMiner" } ], - "version": 103 + "version": 104 } From 79828d7411be9c001512b36c7de7bad971b9aad8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 7 Dec 2018 13:25:56 +0100 Subject: [PATCH 2/3] add clusters --- clusters/ransomware.json | 6 +++++- clusters/threat-actor.json | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b6f70d2..e270bc8 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11498,7 +11498,11 @@ "description": "Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.", "meta": { "refs": [ - "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/" + "https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/", + "https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/" + ], + "synonyms": [ + "UNNAMED1989" ] }, "uuid": "b2aa807d-98fa-48e4-927b-4e81a50736e5", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c00c97..c78bdfc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6040,6 +6040,16 @@ }, "uuid": "608a903a-8145-4fd1-84bc-235e278480bf", "value": "DNSpionage" + }, + { + "description": "Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/netbooks-rpis-and-bash-bunny-gear-attacking-banks-from-the-inside/" + ] + }, + "uuid": "db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2", + "value": "DarkVishnya" } ], "version": 82 From bf77e1125a74cf9a68ac461ff285bf9b43d78859 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 7 Dec 2018 16:32:09 +0100 Subject: [PATCH 3/3] add Operation Poison Needles --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c78bdfc..bd39186 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6050,6 +6050,16 @@ }, "uuid": "db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2", "value": "DarkVishnya" + }, + { + "description": "What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.\nSince it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.", + "meta": { + "refs": [ + "http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN" + ] + }, + "uuid": "08ff3cb6-c292-4360-a978-6f05775881ed", + "value": "Operation Poison Needles" } ], "version": 82