misp-galaxy/clusters/cryptominers.json

{
  "authors": [
    "Cisco Talos",
    "raw-data"
  ],
  "category": "Cryptominers",
  "description": "A list of cryptominer and cryptojacker malware.",
  "name": "Cryptominers",
  "source": "Open Source Intelligence",
  "type": "malware",
  "uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
  "values": [
    {
      "description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
      "meta": {
        "refs": [
          "https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
          "https://success.trendmicro.com/solution/000261916",
          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
          "https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
        ],
        "synonyms": [],
        "type": [ "cryptojacker" ]
      },
      "uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
      "value": "Lemon Duck"
    },
    {
      "description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
      "meta": {
        "refs": [
          "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
          "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
          "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
        ],
        "synonyms": [],
        "type": [ "cryptojacker" ]
      },
      "uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
      "value": "WannaMine"
    }
  ],
  "version": 1
}