From b75e9cf59da92028e60e7026eb506dd00ce40a42 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Thu, 23 Feb 2017 10:14:18 +0100
Subject: [PATCH 01/22] Gutemberg on first 10
---
clusters/tool.json | 251 +++++++++++++++++++++++++++++++--------------
1 file changed, 173 insertions(+), 78 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 99732f7c..80f092b2 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1,83 +1,178 @@
{
"values": [
- {
- "value": "PlugX",
- "description": "Malware"
- },
- {
- "value": "MSUpdater"
- },
- {
- "value": "Lazagne",
- "description": "A password recovery tool regularly used by attackers"
- },
- {
- "value": "Poison Ivy",
- "description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
- "meta": {
- "refs": [
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
- ]
- }
- },
- {
- "value": "SPIVY",
- "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
- "meta": {
- "refs": [
- "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
- ]
- }
- },
- {
- "value": "Torn RAT"
- },
- {
- "value": "OzoneRAT",
- "meta": {
- "refs": [
- "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
- ],
- "synonyms": [
- "Ozone RAT",
- "ozonercp"
- ]
- }
- },
- {
- "value": "ZeGhost"
- },
- {
- "value": "Elise Backdoor",
- "meta": {
- "synonyms": [
- "Elise"
- ]
- }
- },
- {
- "value": "Trojan.Laziok",
- "meta": {
- "synonyms": [
- "Laziok"
- ],
- "refs": [
- "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
- ]
- },
- "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
- },
- {
- "value": "Slempo",
- "description": "Android-based malware",
- "meta": {
- "synonyms": [
- "GM-Bot",
- "Acecard"
- ]
- }
- },
- {
+ {
+ "value" : "PlugX",
+ "description" : "Malware",
+ "meta" : {
+ "refs" : [
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx"
+ ],
+ "synonyms" : [
+ "W32/Backdoor.FSZO-5117",
+ "Gen:Trojan.Heur.JP.juW@ayZZvMb",
+ "Trojan.Inject1.6386",
+ "Win32/Korplug.A",
+ "Trojan.Win32.Korplug",
+ "Backdoor/Win32.Plugx",
+ "Backdoor.Win32.Agent.dhwf",
+ "W32/Korplug.CH!tr"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "MSUpdater",
+ "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
+ "meta" : {
+ "refs" : [
+ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "Lazagne",
+ "description" : "A password sthealing tool regularly used by attackers",
+ "meta" : {
+ "refs" : [
+ "https://github.com/AlessandroZ/LaZagne"
+ ],
+ "category" : [
+ "tool"
+ ]
+ }
+ },
+ {
+ "value" : "Poison Ivy",
+ "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.",
+ "meta" : {
+ "refs" : [
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
+ "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml"
+ ],
+ "synonyms" : [
+ "Backdoor.Win32.PoisonIvy",
+ "Gen:Trojan.Heur.PT"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "SPIVY",
+ "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
+ "meta" : {
+ "refs" : [
+ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "Torn RAT",
+ "meta" : {
+ "refs" : [
+ "https://www.crowdstrike.com/blog/whois-anchor-panda/"
+ ],
+ "synonyms" : [
+ "Anchor Panda"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "OzoneRAT",
+ "meta" : {
+ "refs" : [
+ "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
+ ],
+ "synonyms" : [
+ "Ozone RAT",
+ "ozonercp"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "ZeGhost",
+ "description" : "ZeGhots is a RAT which was freely available and first released in 2014.",
+ "meta" : {
+ "refs" : [
+ "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW"
+ ],
+ "synonyms" : [
+ "BackDoor-FBZT!52D84425CDF2",
+ "Trojan.Win32.Staser.ytq",
+ "Win32/Zegost.BW"
+ ],
+ "category" : [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value" : "Elise Backdoor",
+ "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
+ "meta" : {
+ "refs" : [
+ "http://thehackernews.com/2015/08/elise-malware-hacking.html"
+ ],
+ "synonyms" : [
+ "Elise"
+ ],
+ "category" : [
+ "dropper",
+ "stealer"
+ ]
+ }
+ },
+ {
+ "value" : "Trojan.Laziok",
+ "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.",
+ "meta" : {
+ "refs" : [
+ "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
+ ],
+ "synonyms" : [
+ "Laziok"
+ ],
+ "category" : [
+ "stealer",
+ "reco"
+ ]
+ }
+ },
+ {
+ "value" : "Slempo",
+ "description" : "Android-based malware",
+ "meta" : {
+ "refs" : [
+ "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/"
+ ],
+ "synonyms" : [
+ "GM-Bot",
+ "SlemBunk",
+ "Bankosy",
+ "Acecard"
+ ],
+ "category" : [
+ "spyware",
+ "android"
+ ]
+ }
+ },
+ {
"value": "PWOBot",
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
"meta": {
From c6ac4d847c382fca4fa1c39516e6aabd4bcc0d16 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:25:38 +0100
Subject: [PATCH 02/22] Remove EK and Ransomwares
---
clusters/tool.json | 32 --------------------------------
1 file changed, 32 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 80f092b2..2539cee1 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1068,29 +1068,12 @@
]
}
},
- {
- "value": "Angler EK",
- "description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.",
- "meta": {
- "refs": [
- "http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/",
- "https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/"
- ]
- }
- },
{
"value": "Bedep"
},
{
"value": "Cromptui"
},
- {
- "value": "Cryptowall",
- "description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage."
- },
- {
- "value": "CTB-Locker"
- },
{
"value": "Dridex",
"description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.",
@@ -1133,14 +1116,6 @@
]
}
},
- {
- "value": "Nuclear Pack",
- "meta": {
- "synonyms": [
- "Nuclear EK"
- ]
- }
- },
{
"value": "Palevo"
},
@@ -1157,13 +1132,6 @@
]
}
},
- {
- "value": "Rig EK"
- },
- {
- "value": "Teslacrypt"
- },
- {
"value": "Upatre",
"description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. "
},
From 796382d4ab2eb5e3795193a4c5da4b5841d65f87 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:39:53 +0100
Subject: [PATCH 03/22] Remove Lstudio (group using elise) , add info to PWOBOT
---
clusters/tool.json | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 2539cee1..fa69da77 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -177,13 +177,23 @@
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
"meta": {
"refs": [
- "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
+ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
+ ],
+ "synonyms" : [
+ "PWOLauncher",
+ "PWOHTTPD",
+ "PWOKeyLogger",
+ "PWOMiner",
+ "PWOPyExec",
+ "PWOQuery"
+ ],
+ "category" : [
+ "dropper",
+ "coinminer",
+ "spyware"
]
}
},
- {
- "value": "Lstudio"
- },
{
"value": "Joy RAT"
},
From 0513668fcfa881fec3718ac84ed40b5bc99e384b Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:46:12 +0100
Subject: [PATCH 04/22] =?UTF-8?q?Remove=20JOYRat=20->=20team=20->=20https:?=
=?UTF-8?q?//www.crowdstrike.com/blog/whois-numbered-panda/=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 3 ---
1 file changed, 3 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index fa69da77..cb1687ab 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -194,9 +194,6 @@
]
}
},
- {
- "value": "Joy RAT"
- },
{
"value": "Lost Door RAT",
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
From bb088f97d1f5d5c2a60df21584127af71381c706 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:56:33 +0100
Subject: [PATCH 05/22] =?UTF-8?q?Update=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index cb1687ab..7ff7bb7b 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -199,10 +199,14 @@
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
"meta": {
"synonyms": [
- "LostDoor RAT"
+ "LostDoor RAT",
+ "BKDR_LODORAT"
],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
+ ],
+ "category": [
+ "rat"
]
}
},
@@ -210,10 +214,14 @@
"value": "njRAT",
"meta": {
"synonyms": [
- "Bladabindi"
+ "Bladabindi",
+ "Jorik"
],
"refs": [
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
+ ],
+ "category": [
+ "rat"
]
}
},
@@ -221,10 +229,14 @@
"value": "NanoCoreRAT",
"meta": {
"synonyms": [
- "NanoCore"
+ "NanoCore",
+ "Nancrat",
+ "Zurten",
+ "Atros2.CKPN"
],
"refs": [
- "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"
+ "http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter",
+ "https://nanocore.io/"
]
}
},
From f496c34fda623a2949e3f16edc2244b9d14e942c Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:57:33 +0100
Subject: [PATCH 06/22] =?UTF-8?q?generic=20plugx=20names=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 7ff7bb7b..7bb01ecf 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8,14 +8,11 @@
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx"
],
"synonyms" : [
- "W32/Backdoor.FSZO-5117",
- "Gen:Trojan.Heur.JP.juW@ayZZvMb",
+ "Backdoor.FSZO-5117",
+ "Trojan.Heur.JP.juW@ayZZvMb",
"Trojan.Inject1.6386",
- "Win32/Korplug.A",
- "Trojan.Win32.Korplug",
- "Backdoor/Win32.Plugx",
- "Backdoor.Win32.Agent.dhwf",
- "W32/Korplug.CH!tr"
+ "Korplug",
+ "Agent.dhwf"
],
"category" : [
"rat"
From c1848b1a3a82a440429318de40b93e865405adb3 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:59:14 +0100
Subject: [PATCH 07/22] =?UTF-8?q?json=20issue=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 1 +
1 file changed, 1 insertion(+)
diff --git a/clusters/tool.json b/clusters/tool.json
index 7bb01ecf..eb7a68ac 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1148,6 +1148,7 @@
]
}
},
+ {
"value": "Upatre",
"description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. "
},
From 8c2c47810ef696b102068c12d01cb6277b125fa2 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 14:00:42 +0100
Subject: [PATCH 08/22] =?UTF-8?q?Locky=20removed=20>=20ransomware=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index eb7a68ac..c2f5985e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1119,10 +1119,6 @@
]
}
},
- {
- "value": "Locky",
- "description": "Ransomware"
- },
{
"value": "Necurs",
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
@@ -1394,6 +1390,7 @@
"refs": [
"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
]
+ ck
}
},
{
From 8240e5f6615cf3276f70d57ebe0597062b080411 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 14:05:57 +0100
Subject: [PATCH 09/22] =?UTF-8?q?json=20typo=C2=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
clusters/tool.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index c2f5985e..5e9d711e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1390,7 +1390,6 @@
"refs": [
"https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
]
- ck
}
},
{
From b124d8a08d6aa9c7833344bb2e4e3b3ce34fbc6e Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 15:52:08 +0100
Subject: [PATCH 10/22] Follow the format
---
clusters/tool.json | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 5e9d711e..d4e84138 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -14,7 +14,7 @@
"Korplug",
"Agent.dhwf"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -26,7 +26,7 @@
"refs" : [
"https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -38,7 +38,7 @@
"refs" : [
"https://github.com/AlessandroZ/LaZagne"
],
- "category" : [
+ "type" : [
"tool"
]
}
@@ -55,7 +55,7 @@
"Backdoor.Win32.PoisonIvy",
"Gen:Trojan.Heur.PT"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -67,7 +67,7 @@
"refs" : [
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -81,7 +81,7 @@
"synonyms" : [
"Anchor Panda"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -96,7 +96,7 @@
"Ozone RAT",
"ozonercp"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -113,7 +113,7 @@
"Trojan.Win32.Staser.ytq",
"Win32/Zegost.BW"
],
- "category" : [
+ "type" : [
"rat"
]
}
@@ -128,7 +128,7 @@
"synonyms" : [
"Elise"
],
- "category" : [
+ "type" : [
"dropper",
"stealer"
]
@@ -144,7 +144,7 @@
"synonyms" : [
"Laziok"
],
- "category" : [
+ "type" : [
"stealer",
"reco"
]
@@ -163,7 +163,7 @@
"Bankosy",
"Acecard"
],
- "category" : [
+ "type" : [
"spyware",
"android"
]
@@ -184,7 +184,7 @@
"PWOPyExec",
"PWOQuery"
],
- "category" : [
+ "type" : [
"dropper",
"coinminer",
"spyware"
@@ -202,7 +202,7 @@
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
],
- "category": [
+ "type": [
"rat"
]
}
@@ -217,7 +217,7 @@
"refs": [
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
],
- "category": [
+ "type": [
"rat"
]
}
From 7265af66128a5041fa81257477045a41069d4a4b Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 16:24:59 +0100
Subject: [PATCH 11/22] go 4 string
---
clusters/tool.json | 57 +++++++++++-----------------------------------
1 file changed, 13 insertions(+), 44 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index d4e84138..c59b455e 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -14,9 +14,7 @@
"Korplug",
"Agent.dhwf"
],
- "type" : [
- "rat"
- ]
+ "type" : "rat"
}
},
{
@@ -26,9 +24,7 @@
"refs" : [
"https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
],
- "type" : [
- "rat"
- ]
+ "type" : "rat"
}
},
{
@@ -38,9 +34,7 @@
"refs" : [
"https://github.com/AlessandroZ/LaZagne"
],
- "type" : [
- "tool"
- ]
+ "type" : "tool"
}
},
{
@@ -55,9 +49,7 @@
"Backdoor.Win32.PoisonIvy",
"Gen:Trojan.Heur.PT"
],
- "type" : [
- "rat"
- ]
+ "type" : "rat"
}
},
{
@@ -67,9 +59,7 @@
"refs" : [
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
],
- "type" : [
- "rat"
- ]
+ "type" :"rat"
}
},
{
@@ -81,9 +71,7 @@
"synonyms" : [
"Anchor Panda"
],
- "type" : [
- "rat"
- ]
+ "type": "rat"
}
},
{
@@ -113,9 +101,7 @@
"Trojan.Win32.Staser.ytq",
"Win32/Zegost.BW"
],
- "type" : [
- "rat"
- ]
+ "type" : "rat"
}
},
{
@@ -128,10 +114,7 @@
"synonyms" : [
"Elise"
],
- "type" : [
- "dropper",
- "stealer"
- ]
+ "type" : "dropper, stealer"
}
},
{
@@ -144,10 +127,7 @@
"synonyms" : [
"Laziok"
],
- "type" : [
- "stealer",
- "reco"
- ]
+ "type" : "stealer ,reco"
}
},
{
@@ -163,10 +143,7 @@
"Bankosy",
"Acecard"
],
- "type" : [
- "spyware",
- "android"
- ]
+ "type" : "spyware, android"
}
},
{
@@ -184,11 +161,7 @@
"PWOPyExec",
"PWOQuery"
],
- "type" : [
- "dropper",
- "coinminer",
- "spyware"
- ]
+ "type" : "dropper, coinminer, spyware"
}
},
{
@@ -202,9 +175,7 @@
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
],
- "type": [
- "rat"
- ]
+ "type": "rat"
}
},
{
@@ -217,9 +188,7 @@
"refs": [
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
],
- "type": [
- "rat"
- ]
+ "type": "rat"
}
},
{
From a29a5afbe8fa10cf0ee523257b03305a531aa31d Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 23:36:45 +0100
Subject: [PATCH 12/22] update 2 array
---
clusters/tool.json | 349 +++++++++++++++++++++++--------------------
schema_clusters.json | 6 +-
2 files changed, 195 insertions(+), 160 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index c59b455e..20e942b7 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1,167 +1,194 @@
{
"values": [
- {
- "value" : "PlugX",
- "description" : "Malware",
- "meta" : {
- "refs" : [
- "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx"
- ],
- "synonyms" : [
- "Backdoor.FSZO-5117",
- "Trojan.Heur.JP.juW@ayZZvMb",
- "Trojan.Inject1.6386",
- "Korplug",
- "Agent.dhwf"
- ],
- "type" : "rat"
- }
- },
- {
- "value" : "MSUpdater",
- "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
- "meta" : {
- "refs" : [
- "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
- ],
- "type" : "rat"
- }
- },
- {
- "value" : "Lazagne",
- "description" : "A password sthealing tool regularly used by attackers",
- "meta" : {
- "refs" : [
- "https://github.com/AlessandroZ/LaZagne"
- ],
- "type" : "tool"
- }
- },
- {
- "value" : "Poison Ivy",
- "description" : "Poison Ivy is a RAT which was freely available and first released in 2005.",
- "meta" : {
- "refs" : [
- "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
- "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml"
- ],
- "synonyms" : [
- "Backdoor.Win32.PoisonIvy",
- "Gen:Trojan.Heur.PT"
- ],
- "type" : "rat"
- }
- },
- {
- "value" : "SPIVY",
- "description" : "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
- "meta" : {
- "refs" : [
- "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
- ],
- "type" :"rat"
- }
- },
- {
- "value" : "Torn RAT",
- "meta" : {
- "refs" : [
- "https://www.crowdstrike.com/blog/whois-anchor-panda/"
- ],
- "synonyms" : [
- "Anchor Panda"
- ],
- "type": "rat"
- }
- },
- {
- "value" : "OzoneRAT",
- "meta" : {
- "refs" : [
- "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
- ],
- "synonyms" : [
- "Ozone RAT",
- "ozonercp"
- ],
- "type" : [
- "rat"
- ]
- }
- },
- {
- "value" : "ZeGhost",
- "description" : "ZeGhots is a RAT which was freely available and first released in 2014.",
- "meta" : {
- "refs" : [
- "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW"
- ],
- "synonyms" : [
- "BackDoor-FBZT!52D84425CDF2",
- "Trojan.Win32.Staser.ytq",
- "Win32/Zegost.BW"
- ],
- "type" : "rat"
- }
- },
- {
- "value" : "Elise Backdoor",
- "description" : " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
- "meta" : {
- "refs" : [
- "http://thehackernews.com/2015/08/elise-malware-hacking.html"
- ],
- "synonyms" : [
- "Elise"
- ],
- "type" : "dropper, stealer"
- }
- },
- {
- "value" : "Trojan.Laziok",
- "description" : "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.",
- "meta" : {
- "refs" : [
- "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
- ],
- "synonyms" : [
- "Laziok"
- ],
- "type" : "stealer ,reco"
- }
- },
- {
- "value" : "Slempo",
- "description" : "Android-based malware",
- "meta" : {
- "refs" : [
- "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/"
- ],
- "synonyms" : [
- "GM-Bot",
- "SlemBunk",
- "Bankosy",
- "Acecard"
- ],
- "type" : "spyware, android"
- }
- },
- {
+ {
+ "value": "PlugX",
+ "description": "Malware",
+ "meta": {
+ "refs": [
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx"
+ ],
+ "synonyms": [
+ "Backdoor.FSZO-5117",
+ "Trojan.Heur.JP.juW@ayZZvMb",
+ "Trojan.Inject1.6386",
+ "Korplug",
+ "Agent.dhwf"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "MSUpdater",
+ "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
+ "meta": {
+ "refs": [
+ "https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "Lazagne",
+ "description": "A password sthealing tool regularly used by attackers",
+ "meta": {
+ "refs": [
+ "https://github.com/AlessandroZ/LaZagne"
+ ],
+ "type": [
+ "tool"
+ ]
+ }
+ },
+ {
+ "value": "Poison Ivy",
+ "description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
+ "meta": {
+ "refs": [
+ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
+ "https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml"
+ ],
+ "synonyms": [
+ "Backdoor.Win32.PoisonIvy",
+ "Gen:Trojan.Heur.PT"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "SPIVY",
+ "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
+ "meta": {
+ "refs": [
+ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "Torn RAT",
+ "meta": {
+ "refs": [
+ "https://www.crowdstrike.com/blog/whois-anchor-panda/"
+ ],
+ "synonyms": [
+ "Anchor Panda"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "OzoneRAT",
+ "meta": {
+ "refs": [
+ "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat"
+ ],
+ "synonyms": [
+ "Ozone RAT",
+ "ozonercp"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "ZeGhost",
+ "description": "ZeGhots is a RAT which was freely available and first released in 2014.",
+ "meta": {
+ "refs": [
+ "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW"
+ ],
+ "synonyms": [
+ "BackDoor-FBZT!52D84425CDF2",
+ "Trojan.Win32.Staser.ytq",
+ "Win32/Zegost.BW"
+ ],
+ "type": [
+ "rat"
+ ]
+ }
+ },
+ {
+ "value": "Elise Backdoor",
+ "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
+ "meta": {
+ "refs": [
+ "http://thehackernews.com/2015/08/elise-malware-hacking.html"
+ ],
+ "synonyms": [
+ "Elise"
+ ],
+ "type": [
+ "dropper",
+ "stealer"
+ ]
+ }
+ },
+ {
+ "value": "Trojan.Laziok",
+ "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.",
+ "meta": {
+ "refs": [
+ "http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
+ ],
+ "synonyms": [
+ "Laziok"
+ ],
+ "type": [
+ "stealer",
+ "reco"
+ ]
+ }
+ },
+ {
+ "value": "Slempo",
+ "description": "Android-based malware",
+ "meta": {
+ "refs": [
+ "https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/"
+ ],
+ "synonyms": [
+ "GM-Bot",
+ "SlemBunk",
+ "Bankosy",
+ "Acecard"
+ ],
+ "type": [
+ "spyware",
+ "android"
+ ]
+ }
+ },
+ {
"value": "PWOBot",
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
"meta": {
"refs": [
- "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
+ "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
],
- "synonyms" : [
- "PWOLauncher",
- "PWOHTTPD",
- "PWOKeyLogger",
- "PWOMiner",
- "PWOPyExec",
- "PWOQuery"
+ "synonyms": [
+ "PWOLauncher",
+ "PWOHTTPD",
+ "PWOKeyLogger",
+ "PWOMiner",
+ "PWOPyExec",
+ "PWOQuery"
],
- "type" : "dropper, coinminer, spyware"
+ "type": [
+ "dropper",
+ "miner",
+ "spyware"
+ ]
}
},
{
@@ -175,7 +202,9 @@
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
],
- "type": "rat"
+ "type": [
+ "rat"
+ ]
}
},
{
@@ -188,7 +217,9 @@
"refs": [
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
],
- "type": "rat"
+ "type": [
+ "rat"
+ ]
}
},
{
@@ -198,7 +229,7 @@
"NanoCore",
"Nancrat",
"Zurten",
- "Atros2.CKPN"
+ "Atros2.CKPN"
],
"refs": [
"http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter",
diff --git a/schema_clusters.json b/schema_clusters.json
index 780bfe14..cf64f74c 100644
--- a/schema_clusters.json
+++ b/schema_clusters.json
@@ -74,7 +74,11 @@
"type": "string"
},
"type": {
- "type": "string"
+ "type": "array",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
},
"impact": {
"type": "string"
From d502d5b5bfb31d12bd858c133e9d90ed6de018d4 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 23:46:44 +0100
Subject: [PATCH 13/22] fix side victims of schemaupdate
---
clusters/preventive-measure.json | 68 ++++++++++++++++++++++++--------
clusters/tds.json | 28 +++++++++----
2 files changed, 72 insertions(+), 24 deletions(-)
diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json
index a9f9089d..fd9c8672 100644
--- a/clusters/preventive-measure.json
+++ b/clusters/preventive-measure.json
@@ -8,7 +8,9 @@
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
- "type": "Recovery"
+ "type": [
+ "Recovery"
+ ]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
@@ -22,7 +24,9 @@
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
- "type": "GPO"
+ "type": [
+ "GPO"
+ ]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
@@ -35,7 +39,9 @@
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
- "type": "GPO",
+ "type": [
+ "GPO"
+ ],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
@@ -46,7 +52,9 @@
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
- "type": "Mail Gateway"
+ "type": [
+ "Mail Gateway"
+ ]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
@@ -56,7 +64,9 @@
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
- "type": "Mail Gateway",
+ "type": [
+ "Mail Gateway"
+ ],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
@@ -71,7 +81,9 @@
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
- "type": "GPO",
+ "type": [
+ "GPO"
+ ],
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
@@ -85,7 +97,9 @@
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
- "type": "User Assistence"
+ "type": [
+ "User Assistence"
+ ]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
@@ -98,7 +112,9 @@
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
- "type": "GPO",
+ "type": [
+ "GPO"
+ ],
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
@@ -109,7 +125,9 @@
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
- "type": "Best Practice",
+ "type": [
+ "Best Practice"
+ ],
"possible_issues": "igher administrative costs"
},
"value": "Remove Admin Privileges",
@@ -120,7 +138,9 @@
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
- "type": "Best Practice"
+ "type": [
+ "Best Practice"
+ ]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
@@ -129,7 +149,9 @@
"meta": {
"complexity": "Medium",
"effectiveness": "High",
- "type": "Advanced Malware Protection"
+ "type": [
+ "Advanced Malware Protection"
+ ]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
@@ -138,7 +160,9 @@
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
- "type": "3rd Party Tools"
+ "type": [
+ "3rd Party Tools"
+ ]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
@@ -151,7 +175,9 @@
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
- "type": "GPO",
+ "type": [
+ "GPO"
+ ],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
@@ -165,7 +191,9 @@
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
- "type": "Monitoring"
+ "type": [
+ "Monitoring"
+ ]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager"
@@ -179,7 +207,9 @@
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
- "type": "GPO",
+ "type": [
+ "GPO"
+ ],
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
@@ -194,7 +224,9 @@
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
- "type": "GPO"
+ "type": [
+ "GPO"
+ ]
},
"value": "EMET",
"description": "Detect and block exploitation techniques"
@@ -207,7 +239,9 @@
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
- "type": "3rd Party Tools"
+ "type": [
+ "3rd Party Tools"
+ ]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
diff --git a/clusters/tds.json b/clusters/tds.json
index 5cbf9963..6a06fbba 100755
--- a/clusters/tds.json
+++ b/clusters/tds.json
@@ -7,7 +7,9 @@
"refs": [
"https://keitarotds.com/"
],
- "type": "Commercial"
+ "type": [
+ "Commercial"
+ ]
}
},
{
@@ -17,7 +19,9 @@
"refs": [
"http://kytoon.com/sutra-tds.html"
],
- "type": "Commercial"
+ "type": [
+ "Commercial"
+ ]
}
},
{
@@ -30,7 +34,9 @@
"synonyms": [
"Stds"
],
- "type": "OpenSource"
+ "type": [
+ "OpenSource"
+ ]
}
},
{
@@ -40,7 +46,9 @@
"refs": [
"http://bosstds.com/"
],
- "type": "Commercial"
+ "type": [
+ "Commercial"
+ ]
}
},
{
@@ -50,21 +58,27 @@
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
- "type": "Underground"
+ "type": [
+ "Underground"
+ ]
}
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
- "type": "Underground"
+ "type": [
+ "Underground"
+ ]
}
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
- "type": "Underground"
+ "type": [
+ "Underground"
+ ]
}
}
],
From 50d2b1c87126dd395a246d3cf4602956b8150b04 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 00:42:44 +0100
Subject: [PATCH 14/22] go for caro, add hi-zor
---
clusters/tool.json | 56 +++++++++++++++++++++++++++++++---------------
1 file changed, 38 insertions(+), 18 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 20e942b7..5469aecb 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -15,7 +15,7 @@
"Agent.dhwf"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -27,7 +27,7 @@
"https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -39,7 +39,7 @@
"https://github.com/AlessandroZ/LaZagne"
],
"type": [
- "tool"
+ "HackTool"
]
}
},
@@ -56,7 +56,7 @@
"Gen:Trojan.Heur.PT"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -68,7 +68,7 @@
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -82,7 +82,7 @@
"Anchor Panda"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -97,7 +97,7 @@
"ozonercp"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -114,13 +114,13 @@
"Win32/Zegost.BW"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
{
"value": "Elise Backdoor",
- "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
+ "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
"meta": {
"refs": [
"http://thehackernews.com/2015/08/elise-malware-hacking.html"
@@ -130,7 +130,7 @@
],
"type": [
"dropper",
- "stealer"
+ "PWS"
]
}
},
@@ -145,7 +145,7 @@
"Laziok"
],
"type": [
- "stealer",
+ "PWS",
"reco"
]
}
@@ -164,8 +164,8 @@
"Acecard"
],
"type": [
- "spyware",
- "android"
+ "Spyware",
+ "AndroidOS"
]
}
},
@@ -185,9 +185,9 @@
"PWOQuery"
],
"type": [
- "dropper",
- "miner",
- "spyware"
+ "Dropper",
+ "Miner",
+ "Spyware"
]
}
},
@@ -203,7 +203,7 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -218,7 +218,7 @@
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
],
"type": [
- "rat"
+ "Backdoor"
]
}
},
@@ -234,6 +234,9 @@
"refs": [
"http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter",
"https://nanocore.io/"
+ ],
+ "type": [
+ "Backdoor"
]
}
},
@@ -242,6 +245,23 @@
"meta": {
"synonyms": [
"Sakurel"
+ ],
+ "refs": [
+ "https://www.secureworks.com/research/sakula-malware-family"
+ ],
+ "type": [
+ "Backdoor"
+ ]
+ }
+ },
+ {
+ "value": "Hi-ZOR",
+ "meta": {
+ "refs": [
+ "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
+ ],
+ "type": [
+ "Backdoor"
]
}
},
From bce60b0318bf06c93d8dc5b58674cdb94b8dd735 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:06:19 +0100
Subject: [PATCH 15/22] merge IEchecker et sasfi
---
clusters/tool.json | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index 5469aecb..c6365680 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -271,9 +271,6 @@
{
"value": "EvilGrab"
},
- {
- "value": "IEChecker"
- },
{
"value": "Trojan.Naid"
},
@@ -496,10 +493,15 @@
"description": "credential harvester",
"meta": {
"synonyms": [
- "Sasfis"
+ "Sasfis",
+ "BackDoor-FDU",
+ "IEChecker"
],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+ ],
+ "type": [
+ "PWS"
]
}
},
From e98de5cb5eab6e404d5940d0e1ab8f1853381cc1 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:12:42 +0100
Subject: [PATCH 16/22] add derusbi
---
clusters/tool.json | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index c6365680..bfb41542 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -266,7 +266,19 @@
}
},
{
- "value": "Derusbi"
+ "value": "Derusbi",
+ "meta": {
+ "synonyms": [
+ "TROJ_DLLSERV.BE"
+ ],
+ "refs": [
+ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
+ "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf"
+ ],
+ "type": [
+ "Backdoor"
+ ]
+ }
},
{
"value": "EvilGrab"
@@ -498,6 +510,7 @@
"IEChecker"
],
"refs": [
+ "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"type": [
From 724e836ae93e2c4795dc18458459e65ec72d478e Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:18:03 +0100
Subject: [PATCH 17/22] remove coreshell duplicate
---
clusters/tool.json | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index bfb41542..fab733ff 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -270,7 +270,7 @@
"meta": {
"synonyms": [
"TROJ_DLLSERV.BE"
- ],
+ ],
"refs": [
"http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
"https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf"
@@ -439,9 +439,6 @@
]
}
},
- {
- "value": "CORESHELL"
- },
{
"value": "CHOPSTICK",
"description": "backdoor",
From 59b5ed6c1bdd1b7a9152e2b52ac78cd898ead5f4 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:30:10 +0100
Subject: [PATCH 18/22] update evilgrab
---
clusters/tool.json | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index fab733ff..b2137edc 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -281,7 +281,22 @@
}
},
{
- "value": "EvilGrab"
+ "value": "EvilGrab",
+ "meta": {
+ "synonyms": [
+ "BKDR_HGDER",
+ "BKDR_EVILOGE",
+ "BKDR_NVICM",
+ "Wmonder"
+ ],
+ "refs": [
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/",
+ "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/"
+ ],
+ "type": [
+ "Backdoor"
+ ]
+ }
},
{
"value": "Trojan.Naid"
From 7eb98609a36bf0ac7d47a9d95801de2eb366a144 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:42:33 +0100
Subject: [PATCH 19/22] udpate trojan.main
---
clusters/tool.json | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index b2137edc..a77699f7 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -299,7 +299,25 @@
}
},
{
- "value": "Trojan.Naid"
+ "value": "Trojan.Naid",
+ "meta": {
+ "synonyms": [
+ "Naid",
+ "Mdmbot.E",
+ "AGENT.GUNZ",
+ "AGENT.AQUP.DROPPER",
+ "AGENT.BMZA",
+ "MCRAT.A",
+ "AGENT.ABQMR"
+ ],
+ "refs": [
+ "https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid",
+ "http://telussecuritylabs.com/threats/show/TSL20120614-05"
+ ],
+ "type": [
+ "Dropper"
+ ]
+ }
},
{
"value": "Backdoor.Moudoor"
From 3d79a82bf5acdbca00c0e5e3b44aa4319cd5d404 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 02:08:51 +0100
Subject: [PATCH 20/22] Add Tinba banking
---
clusters/tool.json | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/clusters/tool.json b/clusters/tool.json
index a77699f7..f474d8c0 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -1,5 +1,23 @@
{
"values": [
+ {
+ "value": "Tinba",
+ "description": "Banking Malware",
+ "meta": {
+ "refs": [
+ "https://thehackernews.com/search/label/Zusy%20Malware",
+ "http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/"
+ ],
+ "synonyms": [
+ "Hunter",
+ "Zusy",
+ "TinyBanker"
+ ],
+ "type": [
+ "Banking"
+ ]
+ }
+ },
{
"value": "PlugX",
"description": "Malware",
From d4e3a08995ff94e41e6c754a8ff6fa9f82e5819e Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 02:22:30 +0100
Subject: [PATCH 21/22] add moudor info
---
clusters/tool.json | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index f474d8c0..ed82b3dc 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -338,7 +338,21 @@
}
},
{
- "value": "Backdoor.Moudoor"
+ "value": "Moudoor",
+ "description": "Backdoor.Moudoor, a customized version of Gh0st RAT",
+ "meta": {
+ "synonyms": [
+ "SCAR",
+ "KillProc.14145"
+ ],
+ "refs": [
+ "http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495",
+ "https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/"
+ ],
+ "type": [
+ "Backdoor"
+ ]
+ }
},
{
"value": "NetTraveler"
From 47903f839401ba47d2083793cff5d87a2ce22849 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 02:28:43 +0100
Subject: [PATCH 22/22] add info to the famous mimikatz
---
clusters/tool.json | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/clusters/tool.json b/clusters/tool.json
index ed82b3dc..9562a70a 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -361,7 +361,19 @@
"value": "Winnti"
},
{
- "value": "Mimikatz"
+ "value": "Mimikatz",
+ "description": "Ease Credential stealh and replay, A little tool to play with Windows security.",
+ "meta": {
+ "synonyms": [
+ "Mikatz"
+ ],
+ "refs": [
+ "https://github.com/gentilkiwi/mimikatz"
+ ],
+ "type": [
+ "HackTool"
+ ]
+ }
},
{
"value": "WEBC2"