Merge pull request #272 from Delta-Sierra/master

New clusters based on CIG Circular 66 – FASTCash ATM Cash Out Campaign
2018-10-03 16:38:33 +02:00 · 2018-10-03 16:38:33 +02:00 · 123099cd6d
parent 63b777fc9e 4d68b1c205
commit 123099cd6d
3 changed files with 46 additions and 3 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -2923,7 +2923,22 @@
      },
      "uuid": "f6447046-f4e8-4977-9cc3-edee74ff0038",
      "value": "Hallaj PRO RAT"
+    },
+    {
+      "value": "NukeSped",
+      "description": "This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands. \n",
+      "meta": {
+        "refs": [
+          "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NukeSped-Z.aspx",
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/NukeSped&ThreatID=-2147238204",
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152",
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped",
+          "https://malwarefixes.com/threats/win32nukesped/",
+          "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018"
+        ]
+      },
+      "uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07"
    }
  ],
-  "version": 16
+  "version": 17
 }
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -5901,7 +5901,21 @@
        ]
      },
      "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee"
+    },
+    {
+      "value": "FASTCash",
+      "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
+      "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
+      "related": [
+        {
+          "dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ]
    }
  ],
-  "version": 67
+  "version": 68
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -5849,7 +5849,21 @@
        ]
      },
      "uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5"
+    },
+    {
+      "value": "FASTCash",
+      "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
+      "uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
+      "related": [
+        {
+          "dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        }
+      ]
    }
  ],
-  "version": 89
+  "version": 90
 }