From 31f96513b234e18e97bed8ca4f937f9cac6db322 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 11 Dec 2020 16:09:33 +0100 Subject: [PATCH 1/9] update sidewinder threat actor --- clusters/malpedia.json | 9 +++++++++ clusters/threat-actor.json | 16 ++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index cd5f97a..09c02f1 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -15459,6 +15459,15 @@ "synonyms": [], "type": [] }, + "related": [ + { + "dest-uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder" }, diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 610e7fe..8023ccd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8021,12 +8021,24 @@ "meta": { "refs": [ "https://securelist.com/apt-trends-report-q1-2018/85280/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", + " https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" ], "synonyms": [ "RAZOR TIGER" ] }, + "related": [ + { + "dest-uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", "value": "SideWinder" }, @@ -8503,5 +8515,5 @@ "value": "Operation Skeleton Key" } ], - "version": 194 + "version": 195 } From 7c1ac5814143e6151d92a913b3451a5d1a4437a0 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 22 Feb 2021 16:38:18 +0100 Subject: [PATCH 2/9] add TeamTNT --- clusters/threat-actor.json | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 45eb6a9..4eaa1dd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7955,14 +7955,14 @@ ] }, "related": [ - { - "dest-uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" + { + "dest-uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } ], - "type": "similar" - } - ], "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", "value": "SideWinder" }, @@ -8455,6 +8455,23 @@ }, "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "value": "UNC2452" + }, + { + "description": "In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim.\nThey're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware.\nTeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", + "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", + "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", + "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", + "https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45?utm_content=154419915&utm_medium=social&utm_source=twitter&hss_channel=tw-23713770" + ] + }, + "uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba", + "value": "TeamTNT" } ], "version": 198 From 06ae10965b26aef96935003dbaf8b30dcc052535 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 22 Feb 2021 16:39:47 +0100 Subject: [PATCH 3/9] add Covidloc and tycoon ransomware + small updates on some ransomwares --- clusters/ransomware.json | 41 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3af29be..d535e94 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5799,6 +5799,7 @@ { "description": "Ransomware", "meta": { + "encryption": "AES", "extensions": [ ".crypt", "4 random characters, e.g., .PzZs, .MKJL" @@ -6094,6 +6095,7 @@ { "description": "Ransomware no extension change", "meta": { + "encryption": "RSA", "payment-method": "Bitcoin", "price": "0.9 (500$) - 1.9 (1000$) after 4 days", "ransomnotes-filenames": [ @@ -6486,8 +6488,9 @@ "value": "CryptoTrooper" }, { - "description": "Ransomware", + "description": "Ransomware, Infection by Phishing", "meta": { + "encryption": "RSA", "payment-method": "Bitcoin", "price": "1.09 (500$)", "ransomnotes-filenames": [ @@ -8935,8 +8938,9 @@ "value": "Offline ransomware" }, { - "description": "Ransomware", + "description": "Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher", "meta": { + "Encryption": "RSA", "extensions": [ ".LOL!", ".OMG!" @@ -8946,6 +8950,9 @@ "ransomnotes-filenames": [ "how to get data.txt" ], + "refs": [ + "https://arxiv.org/pdf/2102.06249.pdf" + ], "synonyms": [ "GPCode" ] @@ -9530,6 +9537,7 @@ { "description": "Ransomware no extension change, Javascript Ransomware", "meta": { + "encryption": "AES", "payment-method": "Bitcoin", "price": "1", "refs": [ @@ -11209,6 +11217,7 @@ { "description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.", "meta": { + "encryption": "AES+RSA", "payment-method": "Bitcoin", "price": "0.05 (300 $)", "ransomnotes": [ @@ -14025,7 +14034,33 @@ }, "uuid": "dff71334-c173-45b6-8647-af66be0605d7", "value": "RansomEXX" + }, + { + "description": "Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device.\nThe app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights.\n In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.", + "meta": { + "ransomnotes-refs": [ + "https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_lock_screen_edited_4.png", + "https://www.zscaler.com/sites/default/files/images/blogs/covid/covid_pastebin_5.png" + ], + "refs": [ + "https://www.zscaler.com/blogs/security-research/covidlock-android-ransomware-walkthrough-and-unlocking-routine" + ] + }, + "uuid": "b5fe83e9-c5d7-4b0e-99ab-4f1d356d1749", + "value": "CovidLock" + }, + { + "description": "This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries.\nTycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.", + "meta": { + "date": "december 2019", + "refs": [ + "https://cyberflorida.org/threat-advisory/tycoon-ransomware/", + "https://usf.app.box.com/s/83xh0t5w99klrsoisorir7kgs14o972s" + ] + }, + "uuid": "39781a7a-cd3a-4e24-aeb8-94a767a2551b", + "value": "Tycoon" } ], - "version": 91 + "version": 92 } From eb07fab69f4ada87f1824fd2809f932ce6f1cc8e Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 23 Feb 2021 16:21:07 +0100 Subject: [PATCH 4/9] add Ragnar Locker and update accordingly --- clusters/mitre-malware.json | 7 +++++++ clusters/ransomware.json | 23 ++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index f293b6a..3d91a81 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -2564,6 +2564,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "54895630-efd2-4608-9c24-319de972a9eb", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d535e94..b5786b0 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14060,7 +14060,28 @@ }, "uuid": "39781a7a-cd3a-4e24-aeb8-94a767a2551b", "value": "Tycoon" + }, + { + "description": "Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/" + ] + }, + "related": [ + { + "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", + "value": "Ragnar Locker" } ], - "version": 92 + "version": 93 } From d273a5da7d2c51fb79e5de6ff3911d05add96332 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 25 Feb 2021 09:52:24 +0100 Subject: [PATCH 5/9] add TeamTNT ref --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4eaa1dd..f4b605e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8467,7 +8467,8 @@ "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", - "https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45?utm_content=154419915&utm_medium=social&utm_source=twitter&hss_channel=tw-23713770" + "https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45", + "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/" ] }, "uuid": "27de6a09-844b-4dcb-9ff9-7292aad826ba", From 406dfdb45b789a60787c8811a88d5d5aea98a1d3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 25 Feb 2021 09:52:52 +0100 Subject: [PATCH 6/9] add Sekhmet ransomware --- clusters/ransomware.json | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index b5786b0..90020a3 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13909,12 +13909,14 @@ "RECOVER-FILES.txt" ], "ransomnotes-refs": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg" + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg", + "https://2kjpox12cnap3zv36440iue7-wpengine.netdna-ssl.com/wp-content/uploads/2020/10/egregor-ransom-demanding-message.png" ], "refs": [ "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", "https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/", - "https://cybersecuritynews.com/egregor-ransomware/" + "https://cybersecuritynews.com/egregor-ransomware/", + "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" ] }, "uuid": "8bd094a7-103f-465f-8640-18dcc53042e5", @@ -14081,6 +14083,25 @@ ], "uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", "value": "Ragnar Locker" + }, + { + "description": "Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/", + "https://blog.malwarebytes.com/detections/ransom-sekhmet/", + "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" + ] + }, + "ransomnotes-filenames": [ + "RECOVER-FILES.txt" + ], + "ransomnotes-refs": [ + "https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png" + ], + "uuid": "6fb1ea9e-5389-4932-8b22-c691b74b75a8", + "value": "Sekhmet" } ], "version": 93 From 0e23d8b95fc4cd7f79471f8e1465347f9d3a1509 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 25 Feb 2021 10:21:28 +0100 Subject: [PATCH 7/9] add relationships between Maze, Rgnar, Egregor and Sekhmet --- clusters/ransomware.json | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 90020a3..f881244 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13618,6 +13618,15 @@ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" ] }, + "related": [ + { + "dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "related-to" + } + ], "uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", "value": "Maze" }, @@ -13919,6 +13928,22 @@ "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" ] }, + "related": [ + { + "dest-uuid": "6fb1ea9e-5389-4932-8b22-c691b74b75a8", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "successor-of" + } + ], "uuid": "8bd094a7-103f-465f-8640-18dcc53042e5", "value": "Egregor" }, @@ -14079,6 +14104,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "related-to" } ], "uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", @@ -14100,6 +14132,22 @@ "ransomnotes-refs": [ "https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png" ], + "related": [ + { + "dest-uuid": "8bd094a7-103f-465f-8640-18dcc53042e5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "successor-of" + } + ], "uuid": "6fb1ea9e-5389-4932-8b22-c691b74b75a8", "value": "Sekhmet" } From 7c843ac5c228405d4ca5996e305b355ca59527c1 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 11 Mar 2021 14:08:29 +0100 Subject: [PATCH 8/9] fix merge & jq --- clusters/ransomware.json | 1 + clusters/threat-actor.json | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index a137f2d..55d6e9d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13627,6 +13627,7 @@ "type": "related-to" } ], + "uuid": "c60776a6-91dd-499b-8b4c-7940479e71fc", "value": "Maze" }, { diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 857c60f..d3bb454 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7953,7 +7953,11 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", - " https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" + "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", + "https://s.tencent.com/research/report/659.html", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf", + "https://s.tencent.com/research/report/479.html", + "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c" ], "synonyms": [ "RAZOR TIGER", From eff327b4fde6fcb1661ae35062cbd5cb30d8f5fc Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 11 Mar 2021 14:42:55 +0100 Subject: [PATCH 9/9] fix progress --- clusters/ransomware.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 55d6e9d..05974c5 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -14119,6 +14119,12 @@ { "description": "Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.", "meta": { + "ransomnotes-filenames": [ + "RECOVER-FILES.txt" + ], + "ransomnotes-refs": [ + "https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/", @@ -14126,12 +14132,6 @@ "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" ] }, - "ransomnotes-filenames": [ - "RECOVER-FILES.txt" - ], - "ransomnotes-refs": [ - "https://blog.malwarebytes.com/wp-content/uploads/2020/11/Sekhmet_ransom_note.png" - ], "related": [ { "dest-uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",