diff --git a/README.md b/README.md index 30bff4a0..a04ab83c 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. +- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware. - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. diff --git a/clusters/backdoor.json b/clusters/backdoor.json new file mode 100644 index 00000000..c0d2adb5 --- /dev/null +++ b/clusters/backdoor.json @@ -0,0 +1,24 @@ +{ + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "description": "A list of backdoor malware.", + "source": "Open Sources", + "version": 1, + "values": [ + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.", + "value": "WellMess", + "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd" + } + ], + "authors": [ + "raw-data" + ], + "type": "backdoor", + "name": "Backdoor" +} diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json new file mode 100644 index 00000000..6504c9c0 --- /dev/null +++ b/galaxies/backdoor.json @@ -0,0 +1,9 @@ +{ + "description": "Malware Backdoor galaxy.", + "type": "backdoor", + "version": 1, + "name": "Backdoor", + "icon": "door-open", + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "namespace": "misp" +}