From 113599bb24b02054881fe698a3674949b124eab6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 10 Apr 2018 15:15:08 +0200 Subject: [PATCH 1/2] add LockCrypt ransomware --- clusters/ransomware.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4e42b805..d4f7b61a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9426,12 +9426,22 @@ ] }, "uuid": "2239b3ca-3c9b-11e8-873e-53608d51ee71" + }, + { + "value": "LockCrypt", + "description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/" + ] + }, + "uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340" } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 13, + "version": 14, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" } From c77359715526f1a1fac69f6a2fdd7f9436dbe38d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 10 Apr 2018 15:56:27 +0200 Subject: [PATCH 2/2] add GoScanSSH tool --- clusters/tool.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index e7c9b580..9dfc8f78 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -11,7 +11,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 61, + "version": 62, "values": [ { "meta": { @@ -4115,6 +4115,17 @@ ] }, "uuid": "b5112fe0-38b6-11e8-af9f-6381b5e5403f" + }, + { + "value": "GoScanSSH", + "description": "During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns. ", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html", + "https://www.bleepingcomputer.com/news/security/goscanssh-malware-avoids-government-and-military-servers/" + ] + }, + "uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b" } ] }