Update mitre_malware.json

2019-02-25 11:24:19 -05:00 · 2019-02-25 11:24:19 -05:00 · 17cef1f580
parent c7e714d7e0
commit 17cef1f580
1 changed files with 111 additions and 0 deletions
--- a/clusters/mitre_malware.json
+++ b/clusters/mitre_malware.json
@ -1545,6 +1545,117 @@
      },
      "value": "ELMER"
    },
+  {
+	  "description": "The first Brushaloader campaign that caught our attention was back in August 2018. It was initially notable because it was only using Polish language emails targeting Polish victims. Although it is common to see threats target users in multiple languages, attackers typically don't target a single European country. Below is a sample of one of the emails from that initial campaign and shows the characteristics that we would come to expect from Brushaloader: a RAR attachment containing a Visual Basic script that results in a Brushaloader infection ending in the eventual download and execution of Danabot.[[Citation: Cisco Talos - Combing Through Brushaloader Amid Massive Detection Uptick]]]",
+	  "meta": {
+		  "uuid": "2ad2441e-3913-11e9-b210-d663bd873d93",
+		"refs": [
+			"https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html"
+		  ]
+	  },
+	  "value": "Bushloader"
+  },
+  {
+	  "description": "Icloader is a generic malware that largely behaves like adware. The samples are packed and have evasive checks to hinder the analysis and conceal the real activities. This family can inject code in the address space of other processes and upload files to a remote server.[[Citation: Threat Roundup for Feb. 15 to Feb. 22]]]",
+	  "meta": {
+		  "uuid": "3b880ee6-3914-11e9-b210-d663bd873d93",
+		"refs": [
+			"https://blog.talosintelligence.com/2019/02/threat-roundup-for-feb-15-to-feb-22.html"
+		  ]
+	  },
+	"value": "Icloader"
+  },
+  {
+	  "description": "egurança Informática (SI) Lab identified infection attempts aimed to install Muncy malware directed to the DHL shipment notifications. The malicious email messages contained a particular trojan spreading via phishing campaigns tailored to lure victims. [[Citation: SI-LAB The Muncy malware is on the rise]]]",
+	  "meta": {
+		  "uuid": "07ff6618-3915-11e9-b210-d663bd873d93",
+		  "refs": [
+			"https://seguranca-informatica.pt/si-lab-the-muncy-malware-is-on-the-rise/#.XHQOLIhKiUm"
+		  ]
+	  },
+	"value": "Muncy"
+  },
+  {
+      "description": "Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
+      "meta": {
+        "uuid": "ca16a9f0-3915-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
+                ]
+      },
+      "value": "Expiro"
+    },
+    {
+      "description": "This family is written in .NET and is highly malicious. Once executed, these samples drop files in Windows directories, modify other applications and spawn several children. These binaries also change the internet settings and the certificates of the victim's machine as observed in the Windows registry activity. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
+      "meta": {
+        "uuid": "24e33380-3916-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
+                ]
+      },
+      "value": "Ribaj"
+    },
+    {
+      "description": "These variants of Valyria are malicious Microsoft Word documents that contain embedded VBA macros used to distribute other malware. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
+      "meta": {
+        "uuid": "4ec6c84c-3916-11e9-924b-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
+                ]
+      },
+      "value": "Valyria"
+    },
+    {
+      "description": "These binaries are able to detect virtual machines and instrumented environments. They can also complicate the analysis with anti-disassembly and anti-debugging techniques. This family can install additional software and upload information to a remote server. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
+      "meta": {
+        "uuid": "6fd88d86-3916-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
+                ]
+      },
+      "value": "Cgok"
+    },
+    {
+      "description": "This family is highly malicious and executes other binaries. These samples contact remote servers, upload information collected on the victim's machine and have persistence. [[Citation: Cisco Talos - Threat Roundup for Feb. 8 to Feb. 15]]]",
+      "meta": {
+        "uuid": "8b6c3674-3916-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/threat-roundup-0208-0215.html"
+                ]
+      },
+      "value": "Noon"
+    },
+    {
+      "description": "To this point, all discovered samples of this malware have targeted only macOS. The malware employs multiple levels of obfuscation and is capable of privilege escalation. Many of the initial DMGs are signed with a legitimate Apple developer ID and use legitimate system applications via bash to conduct all installation activity. Although most samples were DMG files, we also discovered .pkg, .iso, and .zip payloads. [[Citation: Carbon Black TAU Threat Intelligence]]]",
+      "meta": {
+        "uuid": "955fee68-3917-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
+                ]
+      },
+      "value": "Shlayer"
+    },    
+    {
+      "description": "Win.Malware.Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples. [[Citation: Cisco Talos - Threat Roundup for Jan. 18 to Jan. 25]]]",
+      "meta": {
+        "uuid": "a06b047c-3918-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://blog.talosintelligence.com/2019/01/threat-roundup-0118-0125.html"
+                ]
+      },
+      "value": "Kryptik"
+    },
+    {
+      "description": "CAYOSIN DDoS Botnet - A Qbot base upgraded with Mirai codes. [[Citation: an ELF bot reverse engineering overview in MIPS 32-bit (on r2) - #MalwareMustDie!]]]",
+      "meta": {
+        "uuid": "a1dd1c4a-3919-11e9-b210-d663bd873d93",
+        "refs": [
+          "https://imgur.com/a/4YxuSfV",
+		  "https://securityaffairs.co/wordpress/80858/cyber-crime/cayosin-botnet-mmd.html"
+                ]
+      },
+      "value": "CAYOSIN"
+    },
    {
      "description": "ATM Malware. Automation of all kinds is there to help people with their routine work, make it faster and simpler. Although ATM fraud is a very peculiar sort of work, some cybercriminals spend a lot of effort to automate it. In March 2018, we came across a fairly simple but effective piece of malware named WinPot. It was created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes. We called it ATMPot.[[Citation: Kaspersky Lab]]",
      "meta": {