From 667d5b885098cee344e6f446dfbea624ec3ca09e Mon Sep 17 00:00:00 2001 From: itayc0hen Date: Wed, 22 Apr 2020 19:44:38 +0300 Subject: [PATCH 1/9] Add ItaDuke/DarkUniverse actor --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c8117b7f..b72f522a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8098,6 +8098,22 @@ }, "uuid": "86b4e2f3-8bbf-48fd-9d27-034d3ac3b187", "value": "VENOM SPIDER" + }, + { + "description": "ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.", + "meta": { + "refs": [ + "https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/", + "https://www.fireeye.com/blog/threat-research/2013/02/the-number-of-the-beast.html", + "https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465" + ], + "synonyms": [ + "DarkUniverse", + "SIG27" + ] + }, + "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003", + "value": "ItaDuke" } ], "version": 157 From b0f0bbae33caf5ff6295bcd93ee25abe7eb8d6f5 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 23 Apr 2020 14:52:08 +0200 Subject: [PATCH 2/9] adding VOYEUR as alias (used by NSA) for MAGIC KITTEN (source reference included) --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b72f522a..f7f5b282 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2017,10 +2017,12 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140" ], "synonyms": [ - "Group 42" + "Group 42", + "VOYEUR" ] }, "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4", From 858621ebdc839b7963bd34f83a27b72045489f3d Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Thu, 23 Apr 2020 15:47:35 +0200 Subject: [PATCH 3/9] Adding Nazar APT as described by JAGS in his OPCDE talk yesterday. --- clusters/threat-actor.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b72f522a..4cb71900 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8114,7 +8114,20 @@ }, "uuid": "d0b900fa-84b4-11ea-bc55-0242ac130003", "value": "ItaDuke" + }, + { + "description": "This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.", + "meta": { + "refs": [ + "https://www.epicturla.com/blog/the-lost-nazar" + ], + "synonyms": [ + "SIG37" + ] + }, + "uuid": "169187c5-9fbe-42df-ae92-6e35846db021", + "value": "Nazar" } ], - "version": 157 + "version": 158 } From d449eb94fc1bfd9b94ed16dfa380c85ec2a32d4f Mon Sep 17 00:00:00 2001 From: rvs1st <60353313+rvs1st@users.noreply.github.com> Date: Fri, 24 Apr 2020 09:03:58 -0500 Subject: [PATCH 4/9] Update threat-actor.json Added on line 1403: Trident per campaign malicious RTF documents to exploit CVE-2017-11882 and CVE-2012-0158 --- clusters/threat-actor.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 324ad48b..480119d5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1400,6 +1400,7 @@ "synonyms": [ "IceFog", "Dagger Panda" + "Trident" ] }, "uuid": "32c534b9-abec-4823-b223-a810f897b47b", From de71a444f8c5e9fab1bcca6f4f9988d227512ba7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 26 Apr 2020 14:23:59 +0200 Subject: [PATCH 5/9] chg: [json] add missing comma --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 480119d5..cd721680 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1399,7 +1399,7 @@ ], "synonyms": [ "IceFog", - "Dagger Panda" + "Dagger Panda", "Trident" ] }, From 112f9e4a088b32600266960a963fefbdddf7abb9 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 26 Apr 2020 23:47:37 +0530 Subject: [PATCH 6/9] Adding alias Thallium and merging STOLEN PENCIL Pretty much confirmed from the crowdstrike talk at ATT&CKon 2.0. And also Netscout named the campaign as STOLEN PENCIL. --- clusters/threat-actor.json | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 30c2ee7f..3a63d3d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5148,16 +5148,22 @@ "refs": [ "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://www.cfr.org/interactive/cyber-operations/kimsuky", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://youtu.be/hAsKp43AZmM?t=1027", + "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", + "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://attack.mitre.org/groups/G0086/" ], "synonyms": [ - "Kimsuky", "Velvet Chollima", - "Black Banshee" + "Black Banshee", + "Thallium", + "Operation Stolen Pencil" ] }, "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", - "value": "Kimsuki" + "value": "Kimsuky" }, { "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", @@ -7195,19 +7201,6 @@ "uuid": "ec3fda76-8c1c-4019-8109-3f92e6b15633", "value": "Ratpak Spider" }, - { - "description": "ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.", - "meta": { - "refs": [ - "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", - "https://attack.mitre.org/groups/G0086/" - ] - }, - "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", - "value": "STOLEN PENCIL" - }, { "meta": { "refs": [ From a428ad565e6e8f072c92623d7cbeb4eeaac778f4 Mon Sep 17 00:00:00 2001 From: de Rosen Date: Mon, 27 Apr 2020 15:16:33 +0300 Subject: [PATCH 7/9] Added misp info --- clusters/banker.json | 16 ++++++- clusters/exploit-kit.json | 4 +- clusters/mitre-enterprise-attack-tool.json | 3 +- clusters/ransomware.json | 52 +++++++++++++++++++++- clusters/rat.json | 13 ++++++ clusters/threat-actor.json | 26 +++++++++++ clusters/tool.json | 20 +++++++++ 7 files changed, 128 insertions(+), 6 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 013da825..33b18c80 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -89,7 +89,8 @@ "https://feodotracker.abuse.ch/" ], "synonyms": [ - "Feodo Version D" + "Feodo Version D", + "Cridex" ] }, "related": [ @@ -589,7 +590,8 @@ ], "synonyms": [ "Qbot ", - "Pinkslipbot" + "Pinkslipbot", + "Akbot" ] }, "related": [ @@ -1179,6 +1181,16 @@ ], "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87", "value": "CamuBot" + }, + { + "meta": { + "refs": [ + "https://thehackernews.com/2018/08/mexico-banking-malware.html" + ] + }, + "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", + "value": "Dark Tequila", + "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f" } ], "version": 16 diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 872cf170..8abab32d 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -172,7 +172,9 @@ "status": "Active", "synonyms": [ "Popads EK", - "TopExp" + "TopExp", + "Magniber", + "Magnitude EK" ] }, "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1", diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index 7ae49b39..17eaad73 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -509,7 +509,8 @@ "external_id": "S0120", "refs": [ "https://attack.mitre.org/wiki/Software/S0120", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.aldeid.com/wiki/FGDump" ], "synonyms": [ "Fgdump" diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 6cf1827c..4897b51a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7936,6 +7936,9 @@ "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", "meta": { "encryption": "TripleDES", + "synonyms": [ + "JobCrypter" + ], "extensions": [ ".locked", ".css" @@ -11195,7 +11198,13 @@ "price": "0.05 (300 $)", "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html" + "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "https://securelist.com/bad-rabbit-ransomware/82851/", + "http://www.intezer.com/notpetya-returns-bad-rabbit/" + ], + "ransomnotes": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" ], "synonyms": [ "BadRabbit", @@ -13635,7 +13644,46 @@ ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", - "value": "Clop" + "value": "Clop", + }, + { + "value": "PornBlackmailer", + "description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg" + ] + }, + "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c" + }, + { + "value": "KingOuroboros", + "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", + "meta": { + "refs": [ + "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" + ], + "ransomnotes": [ + "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." + ] + }, + "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6" + }, + { + "value": "MAFIA Ransomware", + "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "meta": { + "synonyms": [ + "Mafia" + ], + "refs": [ + "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + ] + }, + "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2" }, { "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", diff --git a/clusters/rat.json b/clusters/rat.json index 5bc8f763..21c09478 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3350,6 +3350,9 @@ "meta": { "refs": [ "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" + ], + "synonyms": [ + "Parasite HTTP" ] }, "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe", @@ -3417,6 +3420,16 @@ "uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff", "value": "InnfiRAT" }, + { + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/" + ] + }, + "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", + "value": "KeyBase", + "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a" + }, { "description": "Apparently existing since 2018", "meta": { diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bc5fe297..72df3879 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7875,6 +7875,32 @@ "uuid": "feb0cfef-0472-4108-83d7-1a322d8ab86b", "value": "APT-C-34" }, + { + "value": "Golden RAT", + "description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.", + "meta": { + "refs": [ + "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", + "http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf" + ], + "since": "2014", + "synonyms": [ + "APT-C-27" + ] + }, + "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0" + }, + { + "value": "luoxk", + "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.", + "meta": { + "refs": [ + "https://www.systemtek.co.uk/2018/07/luoxk-malware-exploiting-cve-2018-2893/" + ], + "since": "2017" + }, + "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed" + }, { "description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.", "meta": { diff --git a/clusters/tool.json b/clusters/tool.json index 19c1e7d7..bf7af316 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7916,6 +7916,26 @@ "uuid": "a0736351-1721-42ed-a057-19b4b93b585e", "value": "NBTScan" }, + { + "meta": { + "refs": [ + "https://securelist.com/a-mining-multitool/86950/" + ] + }, + "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", + "value": "PowerGhost", + "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809" + }, + { + "meta": { + "refs": [ + "https://research.checkpoint.com/vbetaly/" + ] + }, + "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", + "value": "VBEtaly", + "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498" + }, { "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ", "meta": { From 2a708933526954296b40eb07fcb291d84722bf13 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 27 Apr 2020 15:03:25 +0200 Subject: [PATCH 8/9] chg: [jq] JSON fixed --- clusters/banker.json | 6 ++-- clusters/ransomware.json | 60 +++++++++++++++++++------------------- clusters/rat.json | 6 ++-- clusters/threat-actor.json | 8 ++--- clusters/tool.json | 12 ++++---- 5 files changed, 46 insertions(+), 46 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 33b18c80..3cbacec0 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1183,14 +1183,14 @@ "value": "CamuBot" }, { + "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://thehackernews.com/2018/08/mexico-banking-malware.html" ] }, - "description": "Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.", - "value": "Dark Tequila", - "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f" + "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", + "value": "Dark Tequila" } ], "version": 16 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 4897b51a..9d50186a 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7936,9 +7936,6 @@ "description": "Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC", "meta": { "encryption": "TripleDES", - "synonyms": [ - "JobCrypter" - ], "extensions": [ ".locked", ".css" @@ -7954,6 +7951,9 @@ "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816", "http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html" + ], + "synonyms": [ + "JobCrypter" ] }, "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a", @@ -11196,6 +11196,9 @@ "meta": { "payment-method": "Bitcoin", "price": "0.05 (300 $)", + "ransomnotes": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" + ], "refs": [ "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html", @@ -11203,9 +11206,6 @@ "https://securelist.com/bad-rabbit-ransomware/82851/", "http://www.intezer.com/notpetya-returns-bad-rabbit/" ], - "ransomnotes": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/10/mbr_cut.png" - ], "synonyms": [ "BadRabbit", "Bad-Rabbit" @@ -13644,46 +13644,46 @@ ] }, "uuid": "21b349c3-ede2-4e11-abda-1444eb272eff", - "value": "Clop", + "value": "Clop" }, { - "value": "PornBlackmailer", "description": "A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" - ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/malware/b/blackmailware/pornblackmailer/ransom-note.jpg" - ] - }, - "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c" - }, - { - "value": "KingOuroboros", - "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", - "meta": { - "refs": [ - "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" ], - "ransomnotes": [ - "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." + "refs": [ + "https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/" ] }, - "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6" + "uuid": "a1a730e2-f1a4-4d7b-9930-80529cd97f3c", + "value": "PornBlackmailer" }, { - "value": "MAFIA Ransomware", - "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "description": "This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.", "meta": { - "synonyms": [ - "Mafia" + "ransomnotes": [ + "Your files has been safely encrypted\n---\nEncrypted files: 276\n**********\n---\n[Buy Bitcoins] [Decrypt Files] (Decryptionkey)\n---\nThe only way you can recover your files is to buy a decryption key\nThe payment method is: Bitcoin. The price is: $50 = Bitcoins\nAfter buying the amount of bitcoins send an email\nto king.ouroboros@protonmail.com Your ID: *****\nWe will provide you with payment address and your decryption key.\nYou have 72 Hours to complete the payment otherwise your key will be deleted." ], "refs": [ - "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + "https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html" ] }, - "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2" + "uuid": "303a07bf-c990-4fbe-ac7d-57b8c3cb29b6", + "value": "KingOuroboros" + }, + { + "description": "The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.", + "meta": { + "refs": [ + "https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html" + ], + "synonyms": [ + "Mafia" + ] + }, + "uuid": "9ea6333f-1437-4a57-8acc-d73019378ef2", + "value": "MAFIA Ransomware" }, { "description": "The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip", diff --git a/clusters/rat.json b/clusters/rat.json index 21c09478..9c8f5b35 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3421,14 +3421,14 @@ "value": "InnfiRAT" }, { + "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/" ] }, - "description": "In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.", - "value": "KeyBase", - "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a" + "uuid": "b3cfd21f-b637-42ff-b118-2803630b718a", + "value": "KeyBase" }, { "description": "Apparently existing since 2018", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 72df3879..db18c077 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7876,7 +7876,6 @@ "value": "APT-C-34" }, { - "value": "Golden RAT", "description": "Since November 2014, the Golden Rat Organization (APT-C-27) has launched an organized, planned and targeted long-term uninterrupted attack on the Syrian region. The attack platform has gradually expanded from the beginning of the Windows platform to the Android platform.", "meta": { "refs": [ @@ -7888,10 +7887,10 @@ "APT-C-27" ] }, - "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0" + "uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0", + "value": "Golden RAT" }, { - "value": "luoxk", "description": "Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.", "meta": { "refs": [ @@ -7899,7 +7898,8 @@ ], "since": "2017" }, - "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed" + "uuid": "69e11692-691e-4bfb-9557-4e2a271684ed", + "value": "luoxk" }, { "description": "The activities of some non-governmental organizations (NGOs) challenge governments on politically sensitive issues such as social, humanitarian, and environmental policies. As a result, these organizations are often exposed to increased government-directed threats aimed at monitoring their activities, discrediting their work, or stealing their intellectual property. BRONZE PRESIDENT is a likely People's Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks. Secureworks® Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.", diff --git a/clusters/tool.json b/clusters/tool.json index bf7af316..048a550f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7917,24 +7917,24 @@ "value": "NBTScan" }, { + "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", "meta": { "refs": [ "https://securelist.com/a-mining-multitool/86950/" ] }, - "description": "PowerGhost is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system.", - "value": "PowerGhost", - "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809" + "uuid": "92480988-82ad-4e1c-af5f-71c85f9ab809", + "value": "PowerGhost" }, { + "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", "meta": { "refs": [ "https://research.checkpoint.com/vbetaly/" ] }, - "description": "Check Point researchers have found another wave of the Ursnif malspam campaign targeting Italy. Only a few details are known so far but what we have found is that the file delivered is a VBE file (encoded VBS) named “SCANSIONE.vbe” and is delivered via ZIP attachments in emails with the subject suggesting different documents in Italian.", - "value": "VBEtaly", - "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498" + "uuid": "10c0d60b-c9c1-474c-8594-11b5d82c6498", + "value": "VBEtaly" }, { "description": "ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectorsin the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper. ", From 46a6d9fcb1f1e95a3a8ea9ad59ae08b27e53512b Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Tue, 28 Apr 2020 01:08:50 -0400 Subject: [PATCH 9/9] Add DenesRAT/METALJACK --- clusters/tool.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 048a550f..378a3ff1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7998,7 +7998,25 @@ }, "uuid": "32a6065c-4f4e-4a60-8717-5872b5f21ac4", "value": "Gelup malware tool" + }, + { + "description": "DenesRAT is a private Trojan horse of the \"Sea Lotus\" organization, which can perform corresponding functions according to the instructions issued by the C2 server. The main functions are file operations, such as creating files or directories, deleting files or directories, finding files; registry reading and writing; remote code execution, such as creating processes, executing DLLs, etc....", + "meta": { + "refs": [ + "http://baijiahao.baidu.com/s?id=1661498030941117519", + "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" + ], + "synonyms": [ + "METALJACK" + ], + "type": [ + "Loader", + "Backdoor" + ] + }, + "uuid": "edd9e14c-80f7-4a50-ab85-fa1120c54003", + "value": "DenesRAT" } ], - "version": 133 + "version": 134 }