diff --git a/clusters/banker.json b/clusters/banker.json index 36f0ff7..1f0ad4f 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1,8 +1,8 @@ { "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", - "name": "Banker", + "description": "A list of banker malware.", "source": "Open Sources", - "version": 8, + "version": 9, "values": [ { "meta": { @@ -583,11 +583,33 @@ "description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)", "value": "DanaBot", "uuid": "844417c6-a404-4c4e-8e93-84db596d725b" + }, + { + "meta": { + "refs": [ + "https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/", + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" + ] + }, + "description": "The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload", + "value": "Backswap", + "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0" + }, + { + "meta": { + "refs": [ + "https://research.checkpoint.com/banking-trojans-development/" + ] + }, + "description": "Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\\64.exe, proxy32\\64.dll and mod32\\64.dll), these components essentially work together to deploy webinjects in several browsers.", + "value": "Karius", + "uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754" } ], "authors": [ - "Unknown" + "Unknown", + "raw-data" ], "type": "banker", - "description": "A list of banker malware." + "name": "Banker" } diff --git a/clusters/cert-eu-govsector.json b/clusters/cert-eu-govsector.json index 64c7131..d7332c1 100644 --- a/clusters/cert-eu-govsector.json +++ b/clusters/cert-eu-govsector.json @@ -32,6 +32,6 @@ "Various" ], "source": "CERT-EU", - "type": "cert-seu-gocsector", + "type": "cert-eu-govsector", "name": "Cert EU GovSector" } diff --git a/clusters/rat.json b/clusters/rat.json index 94741c6..a953b8b 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -1,8 +1,8 @@ { "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", - "name": "RAT", + "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "source": "MISP Project", - "version": 10, + "version": 11, "values": [ { "meta": { @@ -2500,11 +2500,33 @@ "description": "Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device. ", "value": "joanap", "uuid": "caac1aa2-6982-11e8-8107-a331ae3511e7" + }, + { + "meta": { + "refs": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/" + ] + }, + "description": "Sisfader maintains persistence installing itself as a system service, it is made up of multiple components ([1] Dropper - installing the malware, [2] Agent - main code of the RAT, [3] Config - written to the registry, [4] Auto Loader - responsible for extracting the Agent, the Config from the registry) and it has its own custom protocol for communication.", + "value": "Sisfader", + "uuid": "b533439d-b060-4c90-80e0-9dce67b0c6fb" + }, + { + "meta": { + "refs": [ + "https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_SocketPlayer_Analysis.pdf", + "https://volon.io/2018/06/targeted-attack-on-indian-defense-officials-using-socketplayer-malware/" + ] + }, + "description": "The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.", + "value": "SocketPlayer", + "uuid": "d9475765-2cea-45c0-b638-a082b9427239" } ], "authors": [ - "Various" + "Various", + "raw-data" ], "type": "rat", - "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system." + "name": "RAT" } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8bc24f4..0a31ff7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17,7 +17,7 @@ "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", - "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", @@ -2781,7 +2781,7 @@ }, { "value": "Thrip", - "description": "Symntec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.", + "description": "Symantec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.", "meta": { "refs": [ "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" diff --git a/clusters/tool.json b/clusters/tool.json index ce07993..ed10eea 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1,6 +1,6 @@ { "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "name": "Tool", + "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "source": "MISP Project", "version": 78, "values": [ @@ -4244,105 +4244,105 @@ "uuid": "895d769e-b288-4977-a4e1-7d64eb134bf9" }, { - "uuid": "1740ec4-d730-40d6-a3b8-32d5fe7f21cf", - "value": "Iron Backdoor", - "description": "Iron Backdoor uses a virtual machine detection code taken directly from HackingTeam’s Soldier implant leaked source code. Iron Backdoor is also using the DynamicCall module from HackingTeam core library. Backdoor was used to drop cryptocurrency miners.", "meta": { "refs": [ "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" ] - } + }, + "uuid": "1740ec4-d730-40d6-a3b8-32d5fe7f21cf", + "value": "Iron Backdoor", + "description": "Iron Backdoor uses a virtual machine detection code taken directly from HackingTeam’s Soldier implant leaked source code. Iron Backdoor is also using the DynamicCall module from HackingTeam core library. Backdoor was used to drop cryptocurrency miners." }, { - "uuid": "4c057ade-6989-11e8-9efd-ab33ed427468", - "value": "Brambul", - "description": "Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.", "meta": { "refs": [ "https://www.us-cert.gov/ncas/alerts/TA18-149A" ] - } + }, + "uuid": "4c057ade-6989-11e8-9efd-ab33ed427468", + "value": "Brambul", + "description": "Brambul malware is a malicious Windows 32-bit SMB worm that functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware. When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks." }, { - "uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", - "value": "PLEAD", - "description": "PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.", "meta": { "refs": [ "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" ] - } + }, + "uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", + "value": "PLEAD", + "description": "PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does." }, { - "uuid": "65c0dff4-6b23-11e8-899f-8fcb21ad9649", - "value": "BabaYaga", - "description": "The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit.\nThe malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time.\nThe intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware's more recent versions.\n\"[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management,\" Defiant researchers say. \"It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress.\"", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/lol-babayaga-wordpress-malware-updates-your-site/" ] - } + }, + "uuid": "65c0dff4-6b23-11e8-899f-8fcb21ad9649", + "value": "BabaYaga", + "description": "The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit.\nThe malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time.\nThe intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware's more recent versions.\n\"[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management,\" Defiant researchers say. \"It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around Wordpress.\"" }, { - "uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e", - "value": "InvisiMole", - "description": "Except for the malware's binary file, very little is known of who's behind it, how it spreads, or in what types of campaigns has this been used.\n\n\"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia,\" said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.\n\n\"All infection vectors are possible, including installation facilitated by physical access to the machine,\" Hromcová added.\n\nTypical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.\n\nFurthermore, the malware is some clever piece of coding in itself, as it's comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/invisimole-is-a-complex-spyware-that-can-take-pictures-and-record-audio/" ] - } + }, + "uuid": "10f50ef8-6e3b-11e8-a648-d73fb4d2f48e", + "value": "InvisiMole", + "description": "Except for the malware's binary file, very little is known of who's behind it, how it spreads, or in what types of campaigns has this been used.\n\n\"Our telemetry indicates that the malicious actors behind this malware have been active at least since 2013, yet the cyber-espionage tool was never analyzed nor detected until discovered by ESET products on compromised computers in Ukraine and Russia,\" said ESET researcher Zuzana Hromcová, who recently penned an in-depth report about this new threat.\n\n\"All infection vectors are possible, including installation facilitated by physical access to the machine,\" Hromcová added.\n\nTypical to malware used in highly-targeted attacks, the malware has been stripped of most clues that could lead researchers back to its author. With the exception of one file (dating to October 13, 2013), all compilation dates have been stripped and replaced with zeros, giving little clues regarding its timeline and lifespan.\n\nFurthermore, the malware is some clever piece of coding in itself, as it's comprised of two modules, both with their own set of spying features, but which can also help each other in exfiltrating data." }, { - "uuid": "f35f219a-6eed-11e8-980a-93bb96299951", - "value": "Roaming Mantis", - "description": "Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version.", "meta": { "refs": [ "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" ] - } + }, + "uuid": "f35f219a-6eed-11e8-980a-93bb96299951", + "value": "Roaming Mantis", + "description": "Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on a technique known as DNS hijacking. When a user attempts to access any website via a compromised router, they will be redirected to a malicious website. For example, if a user were to navigate to www.securelist.com using a web browser, the browser would be redirected to a rogue server which has nothing to do with the security research blog. As long as the browser displays the original URL, users are likely to believe the website is genuine. The web page from the rogue server displays the popup message: To better experience the browsing, update to the latest chrome version." }, { - "uuid": "7cda6406-6eef-11e8-a2ad-9340096d5711", - "value": "PLEAD Downloader", - "description": "PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does.", "meta": { "refs": [ "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html" ] - } + }, + "uuid": "7cda6406-6eef-11e8-a2ad-9340096d5711", + "value": "PLEAD Downloader", + "description": "PLEAD is referred to both as a name of malware including TSCookie and its attack campaign. PLEAD has two kinds – RAT (Remote Access Tool) and downloader. The RAT operates based on commands that are provided from C&C servers. On the other hand, PLEAD downloader downloads modules and runs it on memory in the same way as TSCookie does." }, { - "uuid": "9f926c84-72cb-11e8-a1f2-676d779700ba", - "value": "ClipboardWalletHijacker", - "description": "The malware's purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware's authors. ClipboardWalletHijacker's end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware's authors.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/clipboard-hijacker-targeting-bitcoin-and-ethereum-users-infects-over-300-0000-pcs/", "https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-transaction-over-300000-computers-have-been-attacked/" ] - } + }, + "uuid": "9f926c84-72cb-11e8-a1f2-676d779700ba", + "value": "ClipboardWalletHijacker", + "description": "The malware's purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware's authors. ClipboardWalletHijacker's end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware's authors." }, { - "value": "TYPEFRAME", - "description": "Trojan malware", "meta": { "refs": [ "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" ] }, + "description": "Trojan malware", + "value": "TYPEFRAME", "uuid": "8981aaca-72dc-11e8-8649-838c1b2613c5" }, { - "value": "Olympic Destroyer", - "description": "The Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack occurred but did not comment or speculate further.\nTalos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently unknown as we continue to investigate. The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.", "meta": { "refs": [ "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.bleepingcomputer.com/news/security/malware-that-hit-pyeongchang-olympics-deployed-in-new-attacks/" ] }, + "description": "The Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack occurred but did not comment or speculate further.\nTalos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently unknown as we continue to investigate. The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.", + "value": "Olympic Destroyer", "uuid": "76d5c7a2-73c3-11e8-bd92-db4d715af093" }, { @@ -4364,6 +4364,17 @@ ] }, "uuid": "58b24db2-79d7-11e8-9b1b-bbdbc798af4f" + }, + { + "meta": { + "refs": [ + "https://github.com/zerosum0x0/koadic", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + ] + }, + "description": "Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host", + "value": "Koadic", + "uuid": "f9e0b922-253c-40fa-a6d2-e60ec9c6980b" } ], "authors": [ @@ -4371,8 +4382,9 @@ "Florian Roth", "Timo Steffens", "Christophe Vandeplas", - "Dennis Rand" + "Dennis Rand", + "raw-data" ], "type": "tool", - "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries." + "name": "Tool" } diff --git a/galaxies/cert-eu-govsector.json b/galaxies/cert-eu-govsector.json index 0a2cc16..84cf5aa 100644 --- a/galaxies/cert-eu-govsector.json +++ b/galaxies/cert-eu-govsector.json @@ -1,5 +1,5 @@ { - "type": "cert-seu-gocsector", + "type": "cert-eu-govsector", "name": "Cert EU GovSector", "description": "Cert EU GovSector", "version": 2, diff --git a/tools/adoc_galaxy.py b/tools/adoc_galaxy.py index 490bcbd..bb01508 100644 --- a/tools/adoc_galaxy.py +++ b/tools/adoc_galaxy.py @@ -67,14 +67,14 @@ def header(adoc=False): doc = doc + "= MISP galaxy\n" return doc -def asciidoc(content=False, adoc=None, t='title',title=''): +def asciidoc(content=False, adoc=None, t='title',title='', typename=''): adoc = adoc + "\n" output = "" if t == 'title': output = '== ' + content elif t == 'info': - output = "\n{}.\n\n{} {} {}{}.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]') + output = "\n{}.\n\n{} {} {}$${}$$.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a cluster galaxy available in JSON format at https://github.com/MISP/misp-galaxy/blob/master/clusters/',typename.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]') elif t == 'author': output = '\nauthors:: {}\n'.format(' - '.join(content)) elif t == 'value': @@ -102,8 +102,9 @@ for cluster in clusters: with open(fullPathClusters) as fp: c = json.load(fp) title = c['name'] + typename = c['type'] adoc = asciidoc(content=title, adoc=adoc, t='title') - adoc = asciidoc(content=c['description'], adoc=adoc, t='info', title=title) + adoc = asciidoc(content=c['description'], adoc=adoc, t='info', title=title, typename = typename) if 'authors' in c: adoc = asciidoc(content=c['authors'], adoc=adoc, t='author', title=title) for v in c['values']: