From bd3fce00e1caf7950cf577e5992635eaf97b1d07 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 25 Feb 2019 16:35:06 +0100 Subject: [PATCH 1/9] add Razdel --- clusters/android.json | 15 +++++++++++++-- clusters/threat-actor.json | 8 +++++--- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/clusters/android.json b/clusters/android.json index b554a73..40ae255 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -269,7 +269,7 @@ "description": "Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user's phone for the Viber app, and then steal photos and videos recorded or sent through the app.", "meta": { "refs": [ - "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml" + "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml" ] }, "uuid": "27354d65-ca90-4f73-b942-13046e61700c", @@ -4642,7 +4642,18 @@ }, "uuid": "64ee0ae8-2e78-43bf-b81b-e7e5c2e30cd0", "value": "AndroidOS_HidenAd" + }, + { + "description": "The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.", + "meta": { + "refs": [ + "http://www.virusremovalguidelines.com/tag/what-is-bankbot", + "https://mobile.twitter.com/pr3wtd/status/1097477833625088000" + ] + }, + "uuid": "aef548fb-76f5-4eb9-9942-f189cb0d16f6", + "value": "Razdel" } ], - "version": 18 + "version": 19 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1207015..3a0916f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3469,7 +3469,8 @@ "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks" + "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks", + "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/" ], "synonyms": [ "Gaza Hackers Team", @@ -3574,7 +3575,8 @@ "meta": { "country": "IR", "refs": [ - "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" ] }, "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3", @@ -6387,5 +6389,5 @@ "value": "STOLEN PENCIL" } ], - "version": 93 + "version": 94 } From 19c4fe4d11c0e1f06c27c713ae31334b0fcf89ab Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 4 Mar 2019 10:11:26 +0100 Subject: [PATCH 2/9] add Rising Sun Backdoor --- clusters/backdoor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index b1deff9..76fe3dc 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -51,7 +51,17 @@ }, "uuid": "8b50360c-4d16-4f52-be75-e74c27f533df", "value": "ServHelper" + }, + { + "description": "The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.", + "meta": { + "refs": [ + "https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/" + ] + }, + "uuid": "0ae6636e-87e4-4b4c-a1c8-e14e1cab964f", + "value": "Rising Sun" } ], - "version": 4 + "version": 5 } From 6ffb8dd437f7c25bb8df708f6773a1945416b0c6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 4 Mar 2019 12:03:05 +0100 Subject: [PATCH 3/9] add relation between Lazarus Group and Operation SharpShooter --- clusters/threat-actor.json | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3a0916f..ccd9e4c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2689,6 +2689,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", @@ -6142,9 +6149,19 @@ "description": "The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.\nOperation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.", "meta": { "refs": [ - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", + "https://www.bleepingcomputer.com/news/security/op-sharpshooter-connected-to-north-koreas-lazarus-group/" ] }, + "related": [ + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "b06c3af1-0243-4428-88da-b3451c345e1e", "value": "Operation Sharpshooter" }, @@ -6389,5 +6406,5 @@ "value": "STOLEN PENCIL" } ], - "version": 94 + "version": 95 } From ae490908450baafa4380b962931c38e36876ee84 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 4 Mar 2019 16:34:52 +0100 Subject: [PATCH 4/9] add ref for garrantydecrypt --- clusters/ransomware.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f50e82f..44989b6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11326,7 +11326,8 @@ "#RECOVERY_FILES#.txt" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/", + "https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/" ] }, "uuid": "f251740b-1594-460a-a378-371f3a2ae92c", From eb0a33eab6112db1d1c7c1021d900d48c003c4fc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 6 Mar 2019 15:52:49 +0100 Subject: [PATCH 5/9] add operation Kabar Cobra --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ccd9e4c..3a29768 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6404,7 +6404,17 @@ }, "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", "value": "STOLEN PENCIL" + }, + { + "meta": { + "refs": [ + "http://download.ahnlab.com/kr/site/library/%5bAnalysis_Report%5dOperation_Kabar_Cobra.pdf", + "https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&curPage=1&seq=28102" + ] + }, + "uuid": "9ba291f2-b107-402d-9083-3128395ff26e", + "value": "Operation Kabar Cobra" } ], - "version": 95 + "version": 96 } From 7afd311abc39a3e0b55bbd0ee9a3e6420c97dd17 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 7 Mar 2019 15:23:30 +0100 Subject: [PATCH 6/9] add Jokeroo RaaS --- clusters/ransomware.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 44989b6..7c124ce 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -11760,7 +11760,20 @@ }, "uuid": "53da7991-62b7-4fe2-af02-447a0734f41d", "value": "Princess Evolution" + }, + { + "description": "A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server.\nAccording to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in. ", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/" + ], + "synonyms": [ + "Fake GandCrab" + ] + }, + "uuid": "8cfa694b-3e6b-410a-828f-037d981870b2", + "value": "Jokeroo" } ], - "version": 53 + "version": 54 } From ee034babba06ba2223d36e02b72bc6214803852b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 8 Mar 2019 14:39:34 +0100 Subject: [PATCH 7/9] add SLUB backdoor --- clusters/backdoor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 76fe3dc..0738f6c 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -61,6 +61,16 @@ }, "uuid": "0ae6636e-87e4-4b4c-a1c8-e14e1cab964f", "value": "Rising Sun" + }, + { + "description": "A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack.\nThe backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++.\nSLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, \"extracting commands from gist snippets,\" and \"parsing Slack channel communication.\"\nThe campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/" + ] + }, + "uuid": "a4757e11-0837-42c0-958a-7490cff58687", + "value": "SLUB" } ], "version": 5 From 2815e486105c2ffd478e50e185d1acd86de63f5f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 8 Mar 2019 15:57:30 +0100 Subject: [PATCH 8/9] add StealthWorker malware --- clusters/tool.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 7fe9fe4..d618d80 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7552,6 +7552,16 @@ }, "uuid": "78ed653d-2d76-4a99-849e-1509e4573c32", "value": "BabyShark" + }, + { + "description": "Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.\nAs unearthed by FortiGuard Labs' Rommel Joven, the StealthWorker Golang-based brute forcer (also known as GoBrut) discovered by Malwarebytes at the end of February is actively being used to target and compromise multiple platforms.\nStealthWorker was previously connected to a number of compromised Magento-powered e-commerce websites on which attackers infiltrated skimmers designed to exfiltrate both payment and personal information.\nAs later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/stealthworker-malware-uses-windows-linux-bots-to-hack-websites/" + ] + }, + "uuid": "f0fc5ab9-4973-42b3-a2f6-25ff551b5566", + "value": "StealthWorker" } ], "version": 111 From 7576d0db026c8a5cfcd1ebf43308ee9f50b93408 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 11 Mar 2019 09:01:12 +0100 Subject: [PATCH 9/9] relations between SLUB Backdoor --- clusters/backdoor.json | 9 +++++++++ clusters/tool.json | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 0738f6c..4bb7a60 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -69,6 +69,15 @@ "https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/" ] }, + "related": [ + { + "dest-uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "a4757e11-0837-42c0-958a-7490cff58687", "value": "SLUB" } diff --git a/clusters/tool.json b/clusters/tool.json index 8e2f81a..d713f87 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7570,6 +7570,15 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" ] }, + "related": [ + { + "dest-uuid": "a4757e11-0837-42c0-958a-7490cff58687", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f", "value": "SLUB Backdoor" }