MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add macOS malwares

pull/146/head
Deborah Servili 2018-01-11 15:19:18 +01:00
parent 80d4fd0164
commit 130ad39d4c
5 changed files with 124 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
clusters/banker.json
View File

@ -493,9 +493,18 @@
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
}
},
{
"value": "Dok",
"description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Dok"
]
}
}
],
"version": 5,
"version": 6,
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "A list of banker malware.",
"authors": [

26
clusters/ransomware.json
View File

@ -8683,12 +8683,36 @@
"As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section."
]
}
},
{
"value": "FileCoder",
"description": "A barely functional piece of macOS ransomware, written in Swift.",
"meta": {
"date": "Febuary 2017",
"refs": [
"https://objective-see.com/blog/blog_0x25.html#FileCoder"
],
"synonyms": [
"FindZip",
"Patcher"
]
}
},
{
"value": "MacRansom",
"description": "A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.",
"meta": {
"date": "June 2017",
"refs": [
"https://objective-see.com/blog/blog_0x25.html"
]
}
}
],
"source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware",
"version": 5,
"version": 6,
"type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
}

5
clusters/rat.json
View File

@ -2078,11 +2078,12 @@
}
},
{
"description": "MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isnt a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.",
"description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isnt a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.",
"value": "MacSpy",
"meta": {
"refs": [
"https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service"
"https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service",
"https://objective-see.com/blog/blog_0x25.html"
],
"date": "2017"
}

10
clusters/threat-actor.json
View File

@ -2244,6 +2244,16 @@
},
"description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.",
"value": "MoneyTaker"
},
{
"value": "",
"description": "Were already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago we named it Microcin after microini, one of the malicious components used in it.",
"meta": {
"refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf"
]
}
}
],
"name": "Threat actor",

81
clusters/tool.json
View File

@ -10,7 +10,7 @@
],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 46,
"version": 47,
"values": [
{
"meta": {
@ -552,7 +552,8 @@
"Rootkit"
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf"
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
"https://objective-see.com/blog/blog_0x25.html#Snake"
],
"synonyms": [
"Snake",
@ -560,7 +561,7 @@
"Urouros"
]
},
"description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature anagram of Ultra (Ultra3) was a name of the fake driver).",
"description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!",
"value": "Turla"
},
{
@ -1214,10 +1215,11 @@
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/",
"https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/",
"https://objective-see.com/blog/blog_0x25.html#XAgent"
]
},
"description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the groups flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.",
"description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the groups flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.",
"value": "X-Agent"
},
{
@ -3255,6 +3257,75 @@
"https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/"
]
}
},
{
"value": "FruitFly",
"description": "A fully-featured backdoor, designed to perversely spy on Mac users",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#FruitFly"
]
}
},
{
"value": "MacDownloader",
"description": "Iranian macOS exfiltration agent, targeting the 'defense industrial base' and human rights advocates.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#MacDownloader"
],
"synonyms": [
"iKitten"
]
}
},
{
"value": "Empyre",
"description": "The open-source macOS backdoor, 'Empye', maliciously packaged into a macro'd Word document",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Empyre"
],
"synonyms": [
"Empye"
]
}
},
{
"value": "Proton",
"description": "A fully-featured macOS backdoor, designed to collect and exfiltrate sensitive user data such as 1Password files, browser login data, and keychains.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Proton"
]
}
},
{
"value": "Mughthesec",
"description": "Adware which hijacks a macOS user's homepage to redirect search queries.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html"
]
}
},
{
"value": "Pwnet",
"description": "A macOS crypto-currency miner, distributed via a trojaned 'CS-GO' hack.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html"
]
}
},
{
"value": "CpuMeaner",
"description": "A macOS crypto-currency mining trojan.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html"
]
}
}
]
}