From 3dfe8a5a34f00fbba320a4dbacb5617b1f919a66 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 3 Oct 2018 15:09:14 +0200 Subject: [PATCH 1/2] add FASTCash --- clusters/threat-actor.json | 16 +++++++++++++++- clusters/tool.json | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8934153..2958d02 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5901,7 +5901,21 @@ ] }, "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee" + }, + { + "value": "FASTCash", + "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", + "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", + "related": [ + { + "dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ] } ], - "version": 67 + "version": 68 } diff --git a/clusters/tool.json b/clusters/tool.json index f0991b9..90386e7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -5839,7 +5839,21 @@ ] }, "uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5" + }, + { + "value": "FASTCash", + "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", + "uuid": "e306fe62-c708-11e8-89f2-073e396e5403", + "related": [ + { + "dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ] } ], - "version": 89 + "version": 90 } From 4d68b1c20598e1f1db4be5989103c9ad4734212d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 3 Oct 2018 16:28:50 +0200 Subject: [PATCH 2/2] add NukeSped --- clusters/rat.json | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 17f266b..f009463 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2923,7 +2923,22 @@ }, "uuid": "f6447046-f4e8-4977-9cc3-edee74ff0038", "value": "Hallaj PRO RAT" + }, + { + "value": "NukeSped", + "description": "This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands. \n", + "meta": { + "refs": [ + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NukeSped-Z.aspx", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/NukeSped&ThreatID=-2147238204", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped", + "https://malwarefixes.com/threats/win32nukesped/", + "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018" + ] + }, + "uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07" } ], - "version": 16 + "version": 17 }