Merge pull request #357 from Delta-Sierra/master

New clusters
pull/359/head
Alexandre Dulaunoy 2019-03-11 10:25:28 +01:00 committed by GitHub
commit 03be509459
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 114 additions and 12 deletions

View File

@ -269,7 +269,7 @@
"description": "Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user's phone for the Viber app, and then steal photos and videos recorded or sent through the app.",
"meta": {
"refs": [
"http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml"
"http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml"
]
},
"uuid": "27354d65-ca90-4f73-b942-13046e61700c",
@ -4642,7 +4642,18 @@
},
"uuid": "64ee0ae8-2e78-43bf-b81b-e7e5c2e30cd0",
"value": "AndroidOS_HidenAd"
},
{
"description": "The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.",
"meta": {
"refs": [
"http://www.virusremovalguidelines.com/tag/what-is-bankbot",
"https://mobile.twitter.com/pr3wtd/status/1097477833625088000"
]
},
"uuid": "aef548fb-76f5-4eb9-9942-f189cb0d16f6",
"value": "Razdel"
}
],
"version": 18
"version": 19
}

View File

@ -51,7 +51,36 @@
},
"uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
"value": "ServHelper"
},
{
"description": "The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.",
"meta": {
"refs": [
"https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/"
]
},
"uuid": "0ae6636e-87e4-4b4c-a1c8-e14e1cab964f",
"value": "Rising Sun"
},
{
"description": "A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack.\nThe backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++.\nSLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, \"extracting commands from gist snippets,\" and \"parsing Slack channel communication.\"\nThe campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/"
]
},
"related": [
{
"dest-uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a4757e11-0837-42c0-958a-7490cff58687",
"value": "SLUB"
}
],
"version": 4
"version": 5
}

View File

@ -11326,7 +11326,8 @@
"#RECOVERY_FILES#.txt"
],
"refs": [
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/"
"https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/",
"https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/"
]
},
"uuid": "f251740b-1594-460a-a378-371f3a2ae92c",
@ -11759,7 +11760,20 @@
},
"uuid": "53da7991-62b7-4fe2-af02-447a0734f41d",
"value": "Princess Evolution"
},
{
"description": "A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server.\nAccording to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in. ",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/"
],
"synonyms": [
"Fake GandCrab"
]
},
"uuid": "8cfa694b-3e6b-410a-828f-037d981870b2",
"value": "Jokeroo"
}
],
"version": 53
"version": 54
}

View File

@ -2689,6 +2689,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
@ -3469,7 +3476,8 @@
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/"
],
"synonyms": [
"Gaza Hackers Team",
@ -3574,7 +3582,8 @@
"meta": {
"country": "IR",
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
"https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"
]
},
"uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3",
@ -6144,9 +6153,19 @@
"description": "The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Groups 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.\nOperation Sharpshooters numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.",
"meta": {
"refs": [
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/"
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/",
"https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/"
]
},
"related": [
{
"dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b06c3af1-0243-4428-88da-b3451c345e1e",
"value": "Operation Sharpshooter"
},
@ -6390,6 +6409,16 @@
"uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845",
"value": "STOLEN PENCIL"
},
{
"meta": {
"refs": [
"http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf",
"https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102"
]
},
"uuid": "9ba291f2-b107-402d-9083-3128395ff26e",
"value": "Operation Kabar Cobra"
},
{
"description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
"meta": {
@ -6406,16 +6435,16 @@
{
"description": "Resecuritys research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)",
"meta": {
"attribution-confidence": "10",
"country": "IR",
"refs": [
"https://resecurity.com/blog/parliament_races/",
"https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986"
],
"attribution-confidence": "10"
]
},
"uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba",
"value": "IRIDIUM"
}
],
"version": 96
"version": 97
}

View File

@ -7553,6 +7553,16 @@
"uuid": "78ed653d-2d76-4a99-849e-1509e4573c32",
"value": "BabyShark"
},
{
"description": "Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.\nAs unearthed by FortiGuard Labs' Rommel Joven, the StealthWorker Golang-based brute forcer (also known as GoBrut) discovered by Malwarebytes at the end of February is actively being used to target and compromise multiple platforms.\nStealthWorker was previously connected to a number of compromised Magento-powered e-commerce websites on which attackers infiltrated skimmers designed to exfiltrate both payment and personal information.\nAs later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/stealthworker-malware-uses-windows-linux-bots-to-hack-websites/"
]
},
"uuid": "f0fc5ab9-4973-42b3-a2f6-25ff551b5566",
"value": "StealthWorker"
},
{
"description": "The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).",
"meta": {
@ -7560,9 +7570,18 @@
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/"
]
},
"related": [
{
"dest-uuid": "a4757e11-0837-42c0-958a-7490cff58687",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f",
"value": "SLUB Backdoor"
}
],
"version": 112
"version": 113
}