From f557f9c0c048abb5f6d76fca29d942eb183aef2f Mon Sep 17 00:00:00 2001 From: Kafeine Date: Mon, 6 Feb 2017 19:28:06 +0000 Subject: [PATCH 1/7] +Derbit alias for Sundown --- clusters/exploit-kit.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 006b21d..8ae6efd 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -195,7 +195,8 @@ "synonyms": [ "Beps", "Xer", - "Beta" + "Beta", + "Derbit" ], "status": "Active", "colour": "#C03701" From 286820f19a9f5d0e018ae75516dc802a69bc4823 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Mon, 6 Feb 2017 19:29:55 +0000 Subject: [PATCH 2/7] Fix --- clusters/exploit-kit.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 8ae6efd..006b21d 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -195,8 +195,7 @@ "synonyms": [ "Beps", "Xer", - "Beta", - "Derbit" + "Beta" ], "status": "Active", "colour": "#C03701" From a9b9b6f6e1796082b79b16f35aa26698ad9f3fd1 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Mon, 6 Feb 2017 19:31:21 +0000 Subject: [PATCH 3/7] +Pangimop, alias Microsoft for magnitude --- clusters/exploit-kit.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 006b21d..6c5ed3a 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -94,7 +94,8 @@ ], "synonyms": [ "Popads EK", - "TopExp" + "TopExp", + "Pangimop" ], "status": "Active" } From 73a82418dfaa5f1580588f2400228c37e738f5b3 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 2 Mar 2017 21:29:19 +0000 Subject: [PATCH 4/7] Empire status, Nebula, Blaze/Terror --- clusters/exploit-kit.json | 78 +++++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 27 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 6c5ed3a..ee17317 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -10,7 +10,21 @@ "synonyms": [ "Stegano EK" ], - "status": "Unknown - Last Seen 2016-12-07" + "status": "Active" + } + } +, + { "value": "Blaze EK", + "description": "Blaze EK is a rebranding of Terror EK built on Hunter EK code", + "meta": { + "refs": [ + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" + ], + "synonyms": [ + "Terror EK" + ] + , + "status": "Active" } } , @@ -41,20 +55,6 @@ "status": "Active" } } -, - { "value": "Empire", - "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" - ], - "synonyms": [ - "RIG-E" - ] - , - "status": "Unknown - Last seen: 2016-12-29" - } - } , { "value": "Hunter", "description": "Hunter EK is an evolution of 3Ros EK", @@ -90,12 +90,12 @@ "refs": [ "http://malware.dontneedcoffee.com/2013/10/Magnitude.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/", - "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html" + "http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood" ], "synonyms": [ "Popads EK", - "TopExp", - "Pangimop" + "TopExp" ], "status": "Active" } @@ -111,6 +111,16 @@ "status": "Active" } } +, + { "value": "Nebula", + "description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" + ], + "status": "Active" + } + } , { "value": "Neutrino", "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", @@ -122,7 +132,7 @@ "synonyms": [ "Job314", "Neutrino Rebooted", - "Neutrino-v" + "Neutrino-v" ] , "status": "Active" @@ -196,7 +206,7 @@ "synonyms": [ "Beps", "Xer", - "Beta" + "Beta" ], "status": "Active", "colour": "#C03701" @@ -214,7 +224,7 @@ "synonyms": [ "XXX", "AEK", - "Axpergle" + "Axpergle" ], "status": "Retired - Last seen: 2016-06-07" } @@ -285,12 +295,26 @@ ], "synonyms": [ "NeoSploit", - "Fiexp" + "Fiexp" ] , "status": "Retired - Last Seen: beginning of 2015-07" } } +, + { "value": "Empire", + "description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html" + ], + "synonyms": [ + "RIG-E" + ] + , + "status": "Retired - Last seen: 2016-12-29" + } + } , { "value": "FlashPack", "description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version", @@ -454,7 +478,7 @@ "refs": [ "https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/", "http://malware.dontneedcoffee.com/2012/05/inside-redkit.html", - "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" + "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" ], "status": "Retired" } @@ -478,7 +502,7 @@ ], "synonyms": [ "SWO", - "Anogre" + "Anogre" ], "status": "Retired - Last seen: 2015-04-05" } @@ -489,7 +513,7 @@ "meta": { "refs": [ "http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html", - "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", + "https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/", "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" ], "status":"Retired - Last seen: 2014-06" @@ -501,13 +525,13 @@ "meta": { "refs": [ "https://twitter.com/kafeine", - "https://twitter.com/node5", + "https://twitter.com/node5", "https://twitter.com/kahusecurity" ] } } ], - "version": 3, + "version": 4, "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "authors": [ From 777fc1cde380f0b69cb88f9bf7e467a52a62a2a5 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Fri, 14 Apr 2017 13:44:03 +0100 Subject: [PATCH 5/7] Updated Blaze <-> Terror - Updated Sundown and Nebula status --- clusters/exploit-kit.json | 68 +++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 096ec1a..af3f0c8 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -15,14 +15,15 @@ } } , - { "value": "Blaze EK", - "description": "Blaze EK is a rebranding of Terror EK built on Hunter EK code", + { "value": "Terror EK", + "description": "Terror EK is a rebranding of Terror EK built on Hunter EK code", "meta": { "refs": [ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" ], "synonyms": [ - "Terror EK" + "Blaze EK", + "Neptune EK" ] , "status": "Active" @@ -111,16 +112,6 @@ "status": "Active" } } -, - { "value": "Nebula", - "description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" - ], - "status": "Active" - } - } , { "value": "Neutrino", "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", @@ -179,7 +170,7 @@ "synonyms": [ "Sundown-b" ], - "status": "Active" + "status": "Retired" } }, { @@ -195,23 +186,6 @@ "status": "Active" } }, - { - "value": "Sundown", - "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", - "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" - ], - "synonyms": [ - "Beps", - "Xer", - "Beta" - ], - "status": "Active", - "colour": "#C03701" - } - }, { "value": "Angler", "description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC", @@ -410,6 +384,16 @@ "status": "Unknown - Last seen: 2014-03" } }, + { "value": "Nebula", + "description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" + ], + "status": "Retired - Last seen 2017-03-09" + } + } + , { "value": "Niteris", "description": "Niteris was used mainly to target Russian.", @@ -489,7 +473,27 @@ ], "status": "Retired - Last seen: 2013-09" } - }, + } + , + { + "value": "Sundown", + "description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html", + "https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road" + ], + "synonyms": [ + "Beps", + "Xer", + "Beta" + ], + "status": "Retired - Last seen 2017-03-08", + "colour": "#C03701" + } + } + + , { "value": "Sweet-Orange", "description": "Sweet Orange", From 321044cdaceeb6623bd2c49f3f5a0cc25f350353 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Fri, 14 Apr 2017 13:46:59 +0100 Subject: [PATCH 6/7] Update Terror --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index af3f0c8..7cf0384 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -16,7 +16,7 @@ } , { "value": "Terror EK", - "description": "Terror EK is a rebranding of Terror EK built on Hunter EK code", + "description": "Terror EK is on Hunter, Sundown and RIG EK code", "meta": { "refs": [ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/" From 9e5db0be8c27578a23146315c032edfb1653e72e Mon Sep 17 00:00:00 2001 From: Kafeine Date: Fri, 14 Apr 2017 13:47:16 +0100 Subject: [PATCH 7/7] fix --- clusters/exploit-kit.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 7cf0384..d6986f7 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -16,7 +16,7 @@ } , { "value": "Terror EK", - "description": "Terror EK is on Hunter, Sundown and RIG EK code", + "description": "Terror EK is built on Hunter, Sundown and RIG EK code", "meta": { "refs": [ "https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/"