Merge pull request #190 from Delta-Sierra/master

add LockCrypt ransomware & GoScanSSH tool
pull/194/head
Deborah Servili 2018-04-10 16:29:17 +02:00 committed by GitHub
commit 0eabb833de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 2 deletions

View File

@ -9426,12 +9426,22 @@
] ]
}, },
"uuid": "2239b3ca-3c9b-11e8-873e-53608d51ee71" "uuid": "2239b3ca-3c9b-11e8-873e-53608d51ee71"
},
{
"value": "LockCrypt",
"description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors dont take much time preparing the attack or the payload. Instead, theyre rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/"
]
},
"uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340"
} }
], ],
"source": "Various", "source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware", "name": "Ransomware",
"version": 13, "version": 14,
"type": "ransomware", "type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
} }

View File

@ -11,7 +11,7 @@
], ],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 61, "version": 62,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -4115,6 +4115,17 @@
] ]
}, },
"uuid": "b5112fe0-38b6-11e8-af9f-6381b5e5403f" "uuid": "b5112fe0-38b6-11e8-af9f-6381b5e5403f"
},
{
"value": "GoScanSSH",
"description": "During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns. ",
"meta": {
"refs": [
"http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html",
"https://www.bleepingcomputer.com/news/security/goscanssh-malware-avoids-government-and-military-servers/"
]
},
"uuid": "8c0a7e1e-3cc4-11e8-8f03-2f71e72f737b"
} }
] ]
} }