Merge branch 'intezer-fix/reports'

clusters/banker.json

@@ -89,7 +89,8 @@
           "https://feodotracker.abuse.ch/"
         ],
         "synonyms": [
-          "Feodo Version D"
+          "Feodo Version D",
+          "Cridex"
         ]
       },
       "related": [
@@ -589,7 +590,8 @@
         ],
         "synonyms": [
           "Qbot ",
-          "Pinkslipbot"
+          "Pinkslipbot",
+          "Akbot"
         ]
       },
       "related": [
@@ -1179,6 +1181,16 @@
       ],
       "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87",
       "value": "CamuBot"
+    },
+    {
+      "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.",
+      "meta": {
+        "refs": [
+          "https://thehackernews.com/2018/08/mexico-banking-malware.html"
+        ]
+      },
+      "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f",
+      "value": "Dark Tequila"
     }
   ],
   "version": 16

clusters/exploit-kit.json

@@ -172,7 +172,9 @@
         "status": "Active",
         "synonyms": [
           "Popads EK",
-          "TopExp"
+          "TopExp",
+          "Magniber",
+          "Magnitude EK"
         ]
       },
       "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1",

clusters/mitre-enterprise-attack-tool.json

@@ -509,7 +509,8 @@
         "external_id": "S0120",
         "refs": [
           "https://attack.mitre.org/wiki/Software/S0120",
-          "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+          "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
+          "https://www.aldeid.com/wiki/FGDump"
         ],
         "synonyms": [
           "Fgdump"

clusters/ransomware.json

@@ -7951,6 +7951,9 @@
           "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html",
           "https://twitter.com/malwrhunterteam/status/828914052973858816",
           "http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html"
+        ],
+        "synonyms": [
+          "JobCrypter"
         ]
       },
       "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a",
@@ -11193,9 +11196,15 @@
       "meta": {
         "payment-method": "Bitcoin",
         "price": "0.05 (300 $)",
+        "ransomnotes": [
+          "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png"
+        ],
         "refs": [
           "http://blog.talosintelligence.com/2017/10/bad-rabbit.html",
-          "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html"
+          "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html",
+          "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
+          "https://securelist.com/bad-rabbit-ransomware/82851/",
+          "http://www.intezer.com/notpetya-returns-bad-rabbit/"
         ],
         "synonyms": [
           "BadRabbit",
@@ -13637,6 +13646,45 @@
       "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
       "value": "Clop"
     },
+    {
+      "description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.",
+      "meta": {
+        "ransomnotes": [
+          "https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg"
+        ],
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/"
+        ]
+      },
+      "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c",
+      "value": "PornBlackmailer"
+    },
+    {
+      "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy-  back to BTC to return the files. The name is original. Written on AutoIt.",
+      "meta": {
+        "ransomnotes": [
+          "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted."
+        ],
+        "refs": [
+          "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html"
+        ]
+      },
+      "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6",
+      "value": "KingOuroboros"
+    },
+    {
+      "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.",
+      "meta": {
+        "refs": [
+          "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html"
+        ],
+        "synonyms": [
+          "Mafia"
+        ]
+      },
+      "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2",
+      "value": "MAFIA Ransomware"
+    },
     {
       "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip",
       "meta": {

clusters/rat.json

@@ -3350,6 +3350,9 @@
       "meta": {
         "refs": [
           "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks"
+        ],
+        "synonyms": [
+          "Parasite HTTP"
         ]
       },
       "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe",
@@ -3417,6 +3420,16 @@
       "uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff",
       "value": "InnfiRAT"
     },
+    {
+      "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/"
+        ]
+      },
+      "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a",
+      "value": "KeyBase"
+    },
     {
       "description": "Apparently existing since 2018",
       "meta": {

clusters/threat-actor.json

@@ -5151,16 +5151,22 @@
         "refs": [
           "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/",
           "https://www.cfr.org/interactive/cyber-operations/kimsuky",
-          "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html"
+          "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html",
+          "https://youtu.be/hAsKp43AZmM?t=1027",
+          "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1",
+          "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia",
+          "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
+          "https://attack.mitre.org/groups/G0086/"
         ],
         "synonyms": [
-          "Kimsuky",
           "Velvet Chollima",
-          "Black Banshee"
+          "Black Banshee",
+          "Thallium",
+          "Operation Stolen Pencil"
         ]
       },
       "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3",
-      "value": "Kimsuki"
+      "value": "Kimsuky"
     },
     {
       "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.",
@@ -7198,19 +7204,6 @@
       "uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633",
       "value": "Ratpak Spider"
     },
-    {
-      "description": "ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.",
-      "meta": {
-        "refs": [
-          "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/",
-          "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
-          "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia",
-          "https://attack.mitre.org/groups/G0086/"
-        ]
-      },
-      "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845",
-      "value": "STOLEN PENCIL"
-    },
     {
       "meta": {
         "refs": [
@@ -7882,6 +7875,32 @@
       "uuid": "feb0cfef-0472-4108-83d7-1a322d8ab86b",
       "value": "APT-C-34"
     },
+    {
+      "description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.",
+      "meta": {
+        "refs": [
+          "https://ti.360.net/blog/articles/analysis-of-apt-c-27/",
+          "http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf"
+        ],
+        "since": "2014",
+        "synonyms": [
+          "APT-C-27"
+        ]
+      },
+      "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0",
+      "value": "Golden RAT"
+    },
+    {
+      "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.",
+      "meta": {
+        "refs": [
+          "https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/"
+        ],
+        "since": "2017"
+      },
+      "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed",
+      "value": "luoxk"
+    },
     {
       "description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.",
       "meta": {

clusters/tool.json

@@ -7916,6 +7916,26 @@
       "uuid": "a0736351-1721-42ed-a057-19b4b93b585e",
       "value": "NBTScan"
     },
+    {
+      "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/a-mining-multitool/86950/"
+        ]
+      },
+      "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809",
+      "value": "PowerGhost"
+    },
+    {
+      "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.",
+      "meta": {
+        "refs": [
+          "https://research.checkpoint.com/vbetaly/"
+        ]
+      },
+      "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498",
+      "value": "VBEtaly"
+    },
     {
       "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ",
       "meta": {