MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into master

pull/40/head
Raphaël Vinot 2017-03-16 17:38:59 +01:00 committed by GitHub
parent 73a82418df e1b5701351
commit 1ed0558c07
22 changed files with 3600 additions and 839 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.travis.yml
View File

@ -1,17 +1,16 @@
language: bash
language: python
cache: pip
python:
- "3.6"
sudo: required
dist: trusty
install:
- git clone https://github.com/stedolan/jq.git
- pushd jq
- autoreconf -i
- ./configure --disable-maintainer-mode
- make
- sudo make install
- popd
- sudo apt-get update -qq
- sudo apt-get install -y -qq jq moreutils
- pip install jsonschema
script:
- cat */*.json | jq .
- ./validate_all.sh

8
README.md
View File

@ -16,9 +16,13 @@ to localized information (which is not shared) or additional information (that c
# Available clusters
- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft
- [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.
- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft.
- [clusters/preventive-measure.json](clusters/preventive-measure.json) - Preventive measures.
- [clusters/ransomware.json](clusters/ransomware.json) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml
- [clusters/tds.json](clusters/tds.json) - TDS is a list of Traffic Direction System used by adversaries.
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
# Available Vocabularies

191
clusters/exploit-kit.json
View File

@ -1,6 +1,7 @@
{
"values": [
{ "value": "Astrum",
{
"value": "Astrum",
"description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography",
"meta": {
"refs": [
@ -40,9 +41,9 @@
],
"status": "Active"
}
}
,
{ "value": "DNSChanger",
},
{
"value": "DNSChanger",
"description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
@ -64,13 +65,12 @@
],
"synonyms": [
"3ROS Exploit Kit"
]
,
],
"status": "Active"
}
}
,
{ "value": "Kaixin",
},
{
"value": "Kaixin",
"description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia",
"meta": {
"refs": [
@ -82,9 +82,9 @@
],
"status": "Active"
}
}
,
{ "value": "Magnitude",
},
{
"value": "Magnitude",
"description": "Magnitude EK",
"meta": {
"refs": [
@ -99,9 +99,9 @@
],
"status": "Active"
}
}
,
{ "value": "MWI",
},
{
"value": "MWI",
"description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks",
"meta": {
"refs": [
@ -156,9 +156,9 @@
],
"status": "Active"
}
}
,
{ "value": "Sednit EK",
},
{
"value": "Sednit EK",
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {
"refs": [
@ -167,9 +167,9 @@
],
"status": "Active"
}
}
,
{ "value": "Bizarro Sundown",
},
{
"value": "Bizarro Sundown",
"description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features",
"meta": {
"refs": [
@ -181,9 +181,9 @@
],
"status": "Active"
}
}
,
{ "value": "GreenFlash Sundown",
},
{
"value": "GreenFlash Sundown",
"description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing",
"meta": {
"refs": [
@ -194,9 +194,9 @@
],
"status": "Active"
}
}
,
{ "value": "Sundown",
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
"meta": {
"refs": [
@ -211,9 +211,9 @@
"status": "Active",
"colour": "#C03701"
}
}
,
{ "value": "Angler",
},
{
"value": "Angler",
"description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC",
"meta": {
"refs": [
@ -228,9 +228,9 @@
],
"status": "Retired - Last seen: 2016-06-07"
}
}
,
{ "value": "Archie",
},
{
"value": "Archie",
"description": "Archie EK",
"meta": {
"refs": [
@ -238,9 +238,9 @@
],
"status": "Retired"
}
}
,
{ "value": "BlackHole",
},
{
"value": "BlackHole",
"description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)",
"meta": {
"refs": [
@ -252,9 +252,9 @@
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Bleeding Life",
},
{
"value": "Bleeding Life",
"description": "Bleeding Life is an exploit kit that became open source with its version 2",
"meta": {
"refs": [
@ -264,13 +264,12 @@
"synonyms": [
"BL",
"BL2"
]
,
],
"status": "Retired"
}
}
,
{ "value": "Cool",
},
{
"value": "Cool",
"description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013",
"meta": {
"refs": [
@ -284,9 +283,9 @@
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Fiesta",
},
{
"value": "Fiesta",
"description": "Fiesta Exploit Kit",
"meta": {
"refs": [
@ -328,13 +327,12 @@
"SafePack",
"CritXPack",
"Vintage Pack"
]
,
],
"status": "Retired - Last seen: middle of 2015-04"
}
}
,
{ "value": "GrandSoft",
},
{
"value": "GrandSoft",
"description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013",
"meta": {
"refs": [
@ -348,9 +346,9 @@
],
"status": "Retired - Last seen: 2014-03"
}
}
,
{ "value": "HanJuan",
},
{
"value": "HanJuan",
"description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015",
"meta": {
"refs": [
@ -361,9 +359,9 @@
],
"status": "Retired - Last seen: 2015-07"
}
}
,
{ "value": "Himan",
},
{
"value": "Himan",
"description": "Himan Exploit Kit",
"meta": {
"refs": [
@ -374,20 +372,19 @@
],
"status": "Retired - Last seen: 2014-04"
}
}
,
{ "value": "Impact",
},
{
"value": "Impact",
"description": "Impact EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
]
,
],
"status": "Retired"
}
}
,
{ "value": "Infinity",
},
{
"value": "Infinity",
"description": "Infinity is an evolution of Redkit",
"meta": {
"refs": [
@ -400,9 +397,9 @@
],
"status": "Retired - Last seen: 2014-07"
}
}
,
{ "value": "Lightsout",
},
{
"value": "Lightsout",
"description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex",
"meta": {
"refs": [
@ -412,9 +409,9 @@
],
"status": "Unknown - Last seen: 2014-03"
}
}
,
{ "value": "Niteris",
},
{
"value": "Niteris",
"description": "Niteris was used mainly to target Russian.",
"meta": {
"refs": [
@ -426,9 +423,9 @@
],
"status": "Unknown - Last seen: 2015-11"
}
}
,
{ "value": "Nuclear",
},
{
"value": "Nuclear",
"description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack",
"meta": {
"refs": [
@ -442,9 +439,9 @@
],
"status": "Retired - Last seen: 2015-04-30"
}
}
,
{ "value": "Phoenix",
},
{
"value": "Phoenix",
"description": "Phoenix Exploit Kit",
"meta": {
"refs": [
@ -456,9 +453,9 @@
],
"status": "Retired"
}
}
,
{ "value": "Private Exploit Pack",
},
{
"value": "Private Exploit Pack",
"description": "Private Exploit Pack",
"meta": {
"refs": [
@ -470,9 +467,9 @@
],
"status": "Retired"
}
}
,
{ "value": "Redkit",
},
{
"value": "Redkit",
"description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic",
"meta": {
"refs": [
@ -482,9 +479,9 @@
],
"status": "Retired"
}
}
,
{ "value": "Sakura",
},
{
"value": "Sakura",
"description": "Description Here",
"meta": {
"refs": [
@ -492,9 +489,9 @@
],
"status": "Retired - Last seen: 2013-09"
}
}
,
{ "value": "Sweet-Orange",
},
{
"value": "Sweet-Orange",
"description": "Sweet Orange",
"meta": {
"refs": [
@ -506,9 +503,9 @@
],
"status": "Retired - Last seen: 2015-04-05"
}
}
,
{ "value": "Styx",
},
{
"value": "Styx",
"description": "Styx Exploit Kit",
"meta": {
"refs": [
@ -518,9 +515,9 @@
],
"status": "Retired - Last seen: 2014-06"
}
}
,
{ "value": "Unknown",
},
{
"value": "Unknown",
"description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",
"meta": {
"refs": [
@ -531,7 +528,7 @@
}
}
],
"version": 4,
"version": 5,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [

33
clusters/microsoft-activity-group.json
View File

@ -4,21 +4,27 @@
"value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
}
},
{
@ -69,6 +75,24 @@
},
"value": "PLATINUM",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat."
},
{
"value": "BARIUM",
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
}
},
{
"value": "LEAD",
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
}
}
],
"name": "Microsoft Activity Group actor",
@ -79,6 +103,5 @@
],
"description": "Activity groups as described by Microsoft",
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"version": 1
"version": 2
}

259
clusters/preventive-measure.json Normal file
View File

@ -0,0 +1,259 @@
{
"values": [
{
"meta": {
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
"type": [
"Recovery"
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
},
{
"meta": {
"refs": [
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
},
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Mail Gateway"
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
"type": [
"Mail Gateway"
],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm"
},
{
"meta": {
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder"
},
{
"meta": {
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
"type": [
"User Assistence"
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
],
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"Best Practice"
],
"possible_issues": "igher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"Best Practice"
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "High",
"type": [
"Advanced Malware Protection"
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"type": [
"3rd Party Tools"
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
},
{
"meta": {
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer"
},
{
"meta": {
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Monitoring"
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)"
},
{
"meta": {
"refs": [
"www.microsoft.com/emet",
"http://windowsitpro.com/security/control-emet-group-policy"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques"
},
{
"meta": {
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"3rd Party Tools"
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
}
],
"name": "Preventive Measure",
"type": "preventive-measure",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"version": 2
}

869
clusters/ransomware.json Normal file
View File

@ -0,0 +1,869 @@
{
"authors": [
"Various"
],
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 1,
"name": "Ransomware",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"values": [
{
"description": "AES(256); .enc; ",
"value": ".CryptoHasYou."
},
{
"description": "Sevleg; XOR; .777; ._[timestamp]_$[email]$.777 e.g. ._14-05-2016-11-59-36_$ninja.gaiver@aol.com$.777; ",
"value": "777"
},
{
"description": "7ev3n-HONE$T; .R4A .R5A; ",
"value": "7ev3n"
},
{
"description": "AES; .7h9r; ",
"value": "7h9r"
},
{
"description": "AES (256); .8lock8; ",
"value": "8lock8"
},
{
"description": ".bin; ",
"value": "Alfa Ransomware"
},
{
"description": "AES(128); random; random(x5); ",
"value": "Alma Ransomware"
},
{
"description": "AlphaLocker; AES(256); .encrypt; ",
"value": "Alpha Ransomware"
},
{
"description": ".amba; ",
"value": "AMBA"
},
{
"description": ".adk; ",
"value": "Angry Duck"
},
{
"description": "Fabiansomeware; .encrypted .SecureCrypted .FuckYourData .unavailable .bleepYourFiles .Where_my_files.txt; ",
"value": "Apocalypse"
},
{
"description": ".encrypted .locked; ",
"value": "ApocalypseVM"
},
{
"description": ".locky; ",
"value": "AutoLocky"
},
{
"description": "",
"value": "BadBlock"
},
{
"description": ".adr; ",
"value": "BaksoCrypt"
},
{
"description": "Rakhni; AES(256); .id-[ID]_[EMAIL_ADDRESS]; ",
"value": "Bandarchor"
},
{
"description": "BaCrypt; .bart.zip .bart .perl; ",
"value": "Bart"
},
{
"description": ".clf; ",
"value": "BitCryptor"
},
{
"description": "Base64 + String Replacement; .bitstak; ",
"value": "BitStak"
},
{
"description": "SilentShade; AES (256); .Silent; ",
"value": "BlackShades Crypter"
},
{
"description": "AES (256); .blocatto; ",
"value": "Blocatto"
},
{
"description": "Salam!; ",
"value": "Booyah"
},
{
"description": "AES(256); .lock; ",
"value": "Brazilian"
},
{
"description": "AES; ",
"value": "BrLock"
},
{
"description": "",
"value": "Browlock"
},
{
"description": "GOST; ; ",
"value": "Bucbi"
},
{
"description": "(.*).encoded.([A-Z0-9]{9}); ",
"value": "BuyUnlockCode"
},
{
"description": ".cry; ",
"value": "Central Security Treatment Organization"
},
{
"description": "AES; .cerber .cerber2 .cerber3; ",
"value": "Cerber"
},
{
"description": ".crypt 4 random characters, e.g., .PzZs, .MKJL; ",
"value": "Chimera"
},
{
"description": ".clf; ",
"value": "CoinVault"
},
{
"description": "AES(256); .coverton .enigma .czvxce; ",
"value": "Coverton"
},
{
"description": ".{CRYPTENDBLACKDC}; ",
"value": "Cryaki"
},
{
"description": "",
"value": "Crybola"
},
{
"description": "Moves bytes; .criptiko .criptoko .criptokod .cripttt .aga; ",
"value": "CryFile"
},
{
"description": "Cry, CSTO; .cry; ",
"value": "CryLocker"
},
{
"description": "AES(256); ",
"value": "CrypMIC"
},
{
"description": ".ENCRYPTED; ",
"value": "Crypren"
},
{
"description": "AES; .crypt38; ",
"value": "Crypt38"
},
{
"description": "Hidden Tear; AES(256); ",
"value": "Cryptear"
},
{
"description": "RSA; .scl; id[_ID]email_xerx@usa.com.scl; ",
"value": "CryptFIle2"
},
{
"description": ".crinf; ",
"value": "CryptInfinite"
},
{
"description": "AES and RSA; ",
"value": "CryptoBit"
},
{
"description": "",
"value": "CryptoDefense"
},
{
"description": "Ranscam; ",
"value": "CryptoFinancial"
},
{
"description": "AES (256), RSA (1024); .frtrss; ",
"value": "CryptoFortress"
},
{
"description": ".clf; ",
"value": "CryptoGraphic Locker"
},
{
"description": "Manamecrypt, Telograph, ROI Locker; AES(256) (RAR implementation); ",
"value": "CryptoHost"
},
{
"description": "AES-256; .crjoker; ",
"value": "CryptoJoker"
},
{
"description": ".encrypted .ENC; ",
"value": "CryptoLocker"
},
{
"description": "[A-F0-9]{8}_luck; ",
"value": "CryptoLuck / YafunnLocker"
},
{
"description": "Zeta; .code .scl; .id_(ID_MACHINE)_email_xoomx@dr.com_.code .id_*_email_zeta@dr.com .id_(ID_MACHINE)_email_anx@dr.com_.scl; ",
"value": "CryptoMix"
},
{
"description": "AES; .crptrgr; ",
"value": "CryptoRoger"
},
{
"description": "AES; .locked; ",
"value": "CryptoShocker"
},
{
"description": ".CryptoTorLocker2015!; ",
"value": "CryptoTorLocker2015"
},
{
"description": "no filename change; ",
"value": "CryptoWall 1"
},
{
"description": "no filename change; ",
"value": "CryptoWall 2"
},
{
"description": "no filename change; ",
"value": "CryptoWall 3"
},
{
"description": "<random>.<random>, e.g., 27p9k967z.x1nep; ",
"value": "CryptoWall 4"
},
{
"description": "CryptProjectXXX; .crypt; ",
"value": "CryptXXX"
},
{
"description": "CryptProjectXXX; .crypt; ",
"value": "CryptXXX 2.0"
},
{
"description": "UltraDeCrypter UltraCrypter; .crypt .cryp1 .crypz .cryptz random; ",
"value": "CryptXXX 3.0"
},
{
"description": ".cryp1; ",
"value": "CryptXXX 3.1"
},
{
"description": "",
"value": "CTB-Faker"
},
{
"description": "Citroni; RSA(2048); .ctbl ; .([a-z]{6,7}); ",
"value": "CTB-Locker"
},
{
"description": "AES(256); ",
"value": "CTB-Locker WEB"
},
{
"description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ",
"value": "CuteRansomware"
},
{
"description": "",
"value": "Deadly for a Good Purpose"
},
{
"description": ".html; ",
"value": "DeCrypt Protect"
},
{
"description": "AES-256; .ded; ",
"value": "DEDCryptor"
},
{
"description": "Based on Detox: Calipso We are all Pokemons Nullbyte; AES; ",
"value": "DetoxCrypto"
},
{
"description": "",
"value": "DirtyDecrypt"
},
{
"description": "AES(256) in ECB mode, Version 2-4 also RSA; ",
"value": "DMALocker"
},
{
"description": "AES(256); ",
"value": "DMALocker 3.0"
},
{
"description": "AES(256); .domino; ",
"value": "Domino"
},
{
"description": "Cryptear; AES(256); .locked; ",
"value": "EDA2 / HiddenTear"
},
{
"description": "EduCrypter; .isis .locked; ",
"value": "EduCrypt"
},
{
"description": "Los Pollos Hermanos; .ha3; ",
"value": "El-Polocker"
},
{
"description": "Trojan.Encoder.6491; ",
"value": "Encoder.xxxx"
},
{
"description": "AES (128); .enigma .1txt; ",
"value": "Enigma"
},
{
"description": ".exotic; ",
"value": "Exotic"
},
{
"description": "",
"value": "Fairware"
},
{
"description": ".locked; ",
"value": "Fakben"
},
{
"description": "Variants: Comrade Circle; AES(128); .fantom; ",
"value": "Fantom"
},
{
"description": "",
"value": "Fonco"
},
{
"description": "",
"value": "FSociety"
},
{
"description": "",
"value": "Fury"
},
{
"description": "AES (256); .Z81928819; ",
"value": "GhostCrypt"
},
{
"description": "Purge; Blowfish; .purge; ",
"value": "Globe v1"
},
{
"description": "Purge; Blowfish; .<email>.<random> e.g.: .7076.docx.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg; ",
"value": "Globe v2"
},
{
"description": "Purge; RC4; .globe or random; ",
"value": "Globe v3"
},
{
"description": "Variants, from old to latest: Zyklon Locker WildFire locker Hades Locker; AES (256); .locked; <ID>.locked, e.g., bill.!ID!8MMnF!ID!.locked; ",
"value": "GNL Locker"
},
{
"description": ".crypt; !___[EMAILADDRESS]_.crypt; ",
"value": "Gomasom"
},
{
"description": "",
"value": "Goopic"
},
{
"description": "",
"value": "Gopher"
},
{
"description": ".html; ",
"value": "Harasom"
},
{
"description": "Mamba; Custom (net shares), XTS-AES (disk); ",
"value": "HDDCryptor"
},
{
"description": ".herbst; ",
"value": "Herbst"
},
{
"description": "AES(256); .cry ; ",
"value": "Hi Buddy!"
},
{
"description": "removes extensions; ",
"value": "Hitler"
},
{
"description": "AES; (encrypted); ",
"value": "HolyCrypt"
},
{
"description": "Hungarian Locky (Hucky); AES, RSA (hardcoded); .locky; [a-zA-Z0-9+_-]{1,}.[a-z0-9]{3,4}.locky; ",
"value": "Hucky"
},
{
"description": "hydracrypt_ID_[\\w]{8}; ",
"value": "HydraCrypt"
},
{
"description": ".crime; ",
"value": "iLock"
},
{
"description": ".crime; ",
"value": "iLockLight"
},
{
"description": "<6 random characters>; ",
"value": "International Police Association"
},
{
"description": "!ENC; ",
"value": "JagerDecryptor"
},
{
"description": "Encryptor RaaS, Sarento; RC6 (files), RSA 2048 (RC6 key); ",
"value": "Jeiphoos"
},
{
"description": "CryptoHitMan (subvariant); AES(256); .btc .kkk .fun .gws .porno .payransom .payms .paymst .AFD .paybtcs .epic .xyz; ",
"value": "Jigsaw"
},
{
"description": "TripleDES; .locked .css; ",
"value": "Job Crypter"
},
{
"description": "AES; .encrypted; ",
"value": "KeRanger"
},
{
"description": "keybtc@inbox_com ; ",
"value": "KeyBTC"
},
{
"description": "",
"value": "KEYHolder"
},
{
"description": ".rip; ",
"value": "Killer Locker"
},
{
"description": "AES; .kimcilware .locked; ",
"value": "KimcilWare"
},
{
"description": "AES(256); .암호화됨; ",
"value": "Korean"
},
{
"description": ".kostya; ",
"value": "Kostya"
},
{
"description": "QC; RSA(2048); .31392E30362E32303136_[ID-KEY]_LSBJ1; .([0-9A-Z]{20})_([0-9]{2})_([A-Z0-9]{4,5}); ",
"value": "Kozy.Jozy"
},
{
"description": ".kratos; ",
"value": "KratosCrypt"
},
{
"description": "AES(256); ",
"value": "KryptoLocker"
},
{
"description": ".LeChiffre; ",
"value": "LeChiffre"
},
{
"description": "Linux.Encoder.{0,3}; ",
"value": "Linux.Encoder"
},
{
"description": "",
"value": "Locker"
},
{
"description": "AES(128); .locky .zepto .odin .shit .thor .asier .zzzzz .osiris; ([A-F0-9]{32}).locky ([A-F0-9]{32}).zepto ([A-F0-9]{32}).odin ([A-F0-9]{32}).shit ([A-F0-9]{32}).thor ([A-F0-9]{32}).aesir ([A-F0-9]{32}).zzzzz ([A-F0-9]{32}).osiris; ",
"value": "Locky"
},
{
"description": ".lock93; ",
"value": "Lock93"
},
{
"description": ".crime; ",
"value": "Lortok"
},
{
"description": "oor.; ",
"value": "LowLevel04"
},
{
"description": "",
"value": "Mabouia"
},
{
"description": "AES(256); .magic; ",
"value": "Magic"
},
{
"description": "AES(256), RSA (2048); [a-z]{4,6}; ",
"value": "MaktubLocker"
},
{
"description": "Crypt888; AES; Lock.; ",
"value": "MIRCOP"
},
{
"description": "AES(256); .fucked, .fuck; ",
"value": "MireWare"
},
{
"description": "\"Petya's little brother\"; .([a-zA-Z0-9]{4}); ",
"value": "Mischa"
},
{
"description": "Booyah; AES(256); .locked; ",
"value": "MM Locker"
},
{
"description": "Yakes CryptoBit; .KEYZ .KEYH0LES; ",
"value": "Mobef"
},
{
"description": "",
"value": "n1n1n1"
},
{
"description": "",
"value": "Nagini"
},
{
"description": "AES (256), RSA; ",
"value": "NanoLocker"
},
{
"description": "XOR(255) 7zip; .crypted; ",
"value": "Nemucod"
},
{
"description": "",
"value": "NoobCrypt"
},
{
"description": "XOR; .odcodc; C-email-abennaki@india.com-(NOMBRE_ARCHIVO.ext).odcodc; ",
"value": "ODCODC"
},
{
"description": "Vipasana, Cryakl; .cbf; email-[params].cbf; ",
"value": "Offline ransomware"
},
{
"description": "GPCode; .LOL! .OMG!; ",
"value": "OMG! Ransomware"
},
{
"description": "",
"value": "Onyx"
},
{
"description": ".EXE; ",
"value": "Operation Global III"
},
{
"description": ".padcrypt; ",
"value": "PadCrypt"
},
{
"description": "XOR; ",
"value": "PClock"
},
{
"description": "Goldeneye; Modified Salsa20; ",
"value": "Petya"
},
{
"description": "AES(256); .locked; <file_hash>.locked; ",
"value": "Philadelphia"
},
{
"description": ".id-[victim_id]-maestro@pizzacrypts.info; ",
"value": "PizzaCrypts"
},
{
"description": "AES(256); .locked; ",
"value": "PokemonGO"
},
{
"description": "AES(256); .filock; ",
"value": "Popcorn Time"
},
{
"description": "AES(256); ",
"value": "Polyglot"
},
{
"description": "PoshCoder; AES(128); .locky; ",
"value": "PowerWare"
},
{
"description": "AES, but throws key away, destroys the files; ",
"value": "PowerWorm"
},
{
"description": "",
"value": "PRISM"
},
{
"description": ".crypt; ",
"value": "R980"
},
{
"description": "RAA; .locked; ",
"value": "RAA encryptor"
},
{
"description": "AES(256); .RDM .RRK .RAD .RADAMANT; ",
"value": "Radamant"
},
{
"description": "Agent.iih Aura Autoit Pletor Rotor Lamer Isda Cryptokluchen Bandarchor; .locked .kraken .darkness .nochance .oshit .oplata@qq_com .relock@qq_com .crypto .helpdecrypt@ukr.net .pizda@qq_com .dyatel@qq_com _ryp .nalog@qq_com .chifrator@qq_com .gruzin@qq_com .troyancoder@qq_com .encrypted .cry .AES256 .enc .hb15; .coderksu@gmail_com_id[0-9]{2,3} .crypt@india.com.[\\w]{4,12}; ",
"value": "Rakhni"
},
{
"description": "locked-<original name>.[a-zA-Z]{4}; ",
"value": "Rannoh"
},
{
"description": "",
"value": "Ransom32"
},
{
"description": "Asymmetric 1024 ; ",
"value": "RansomLock"
},
{
"description": ".vscrypt .infected .bloc .korrektor; ",
"value": "Rector"
},
{
"description": "AES(256); .rekt; ",
"value": "RektLocker"
},
{
"description": ".remind .crashed; ",
"value": "RemindMe"
},
{
"description": "Curve25519 + ChaCha; .rokku; ",
"value": "Rokku"
},
{
"description": "samsam.exe MIKOPONI.exe RikiRafael.exe showmehowto.exe; AES(256) + RSA(2096); .encryptedAES .encryptedRSA .encedRSA .justbtcwillhelpyou .btcbtcbtc .btc-help-you .only-we_can-help_you .iwanthelpuuu .notfoundrans .encmywork; ",
"value": "Samas-Samsam"
},
{
"description": "AES(256) + RSA(2096); .sanction; ",
"value": "Sanction"
},
{
"description": "Sarah_G@ausi.com___; ",
"value": "Satana"
},
{
"description": "",
"value": "Scraper"
},
{
"description": "AES; ",
"value": "Serpico"
},
{
"description": "Atom; .locked; ",
"value": "Shark"
},
{
"description": ".shino; ",
"value": "ShinoLocker"
},
{
"description": "KinCrypt; ",
"value": "Shujin"
},
{
"description": "AES; .~; ",
"value": "Simple_Encoder"
},
{
"description": "AES(256); .locked; ",
"value": "SkidLocker / Pompous"
},
{
"description": ".encrypted; ",
"value": "Smrss32"
},
{
"description": "AES(256); .RSNSlocked .RSplited; ",
"value": "SNSLocker"
},
{
"description": ".sport; ",
"value": "Sport"
},
{
"description": "AES(256); .locked; ",
"value": "Stampado"
},
{
"description": "AES(256); .locked; ",
"value": "Strictor"
},
{
"description": "AES(256); .surprise .tzu; ",
"value": "Surprise"
},
{
"description": "",
"value": "Survey"
},
{
"description": "",
"value": "SynoLocker"
},
{
"description": ".szf; ",
"value": "SZFLocker"
},
{
"description": "Trojan-Ransom.Win32.Telecrypt PDM:Trojan.Win32.Generic; .xcri; ",
"value": "TeleCrypt"
},
{
"description": "AlphaCrypt; .vvv .ecc .exx .ezz .abc .aaa .zzz .xyz; ",
"value": "TeslaCrypt 0.x - 2.2.0"
},
{
"description": "AES(256) + ECHD + SHA1; .micro .xxx .ttt .mp3; ",
"value": "TeslaCrypt 3.0+"
},
{
"description": "AES(256) + ECHD + SHA1; ",
"value": "TeslaCrypt 4.1A"
},
{
"description": "",
"value": "TeslaCrypt 4.2"
},
{
"description": "",
"value": "Threat Finder"
},
{
"description": "Crypt0L0cker (subvariant); AES(256) CBC for files RSA(1024) for AES key uses LibTomCrypt; .Encrypted .enc; ",
"value": "TorrentLocker"
},
{
"description": "",
"value": "TowerWeb"
},
{
"description": ".toxcrypt; ",
"value": "Toxcrypt"
},
{
"description": "Shade XTBL; AES(256); .better_call_saul .xtbl .da_vinci_code .windows10; ",
"value": "Troldesh"
},
{
"description": "AES(256); .enc; ",
"value": "TrueCrypter"
},
{
"description": "AES(256); .locked; ",
"value": "Turkish Ransom"
},
{
"description": "AES; umbrecrypt_ID_[VICTIMID]; ",
"value": "UmbreCrypt"
},
{
"description": "AES; .H3LL .0x0 .1999; ",
"value": "Ungluk"
},
{
"description": ".CRRRT .CCCRRRPPP; ",
"value": "Unlock92"
},
{
"description": "CrypVault Zlader; uses gpg.exe; .vault .xort .trun; ",
"value": "VaultCrypt"
},
{
"description": "",
"value": "VenisRansomware"
},
{
"description": "AES(256); .Venusf .Venusp; ",
"value": "VenusLocker"
},
{
"description": ".exe; ",
"value": "Virlock"
},
{
"description": "Crysis; AES(256); .CrySiS .xtbl; .id-########.decryptformoney@india.com.xtbl; ",
"value": "Virus-Encoder"
},
{
"description": ".wflx; ",
"value": "WildFire Locker"
},
{
"description": "XOR or TEA; .EnCiPhErEd .73i87A .p5tkjw .PoAr2w .fileiscryptedhard .encoderpass .zc3791; ",
"value": "Xorist"
},
{
"description": ".xrtn; ",
"value": "XRTN "
},
{
"description": "Zcryptor; .zcrypt; ",
"value": "Zcrypt"
},
{
"description": ".crypto; ",
"value": "Zimbra"
},
{
"description": "VaultCrypt CrypVault; RSA; .vault; ",
"value": "Zlader / Russian"
},
{
"description": "GNL Locker; .zyklon; ",
"value": "Zyklon"
},
{
"description": "AES; ",
"value": "Erebus"
}
],
"source": "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml"
}

69
clusters/tds.json
View File

@ -1,26 +1,31 @@
{
"values": [
{ "value": "Keitaro",
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
],
"type": [
"Commercial"
]
},
"type":"Commercial"
}
,
{ "value": "Sutra",
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type":"Commercial"
"type": [
"Commercial"
]
}
}
,
{ "value": "SimpleTDS",
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
@ -29,45 +34,55 @@
"synonyms": [
"Stds"
],
"type":"OpenSource"
"type": [
"OpenSource"
]
}
}
,
{ "value": "BossTDS",
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type":"Commercial"
"type": [
"Commercial"
]
}
}
,
{ "value": "BlackHat TDS",
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type":"Underground"
"type": [
"Underground"
]
}
}
,
{ "value": "Futuristic TDS",
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type":"Underground"
"type": [
"Underground"
]
}
}
,
{ "value": "Orchid TDS",
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type":"Underground"
"type": [
"Underground"
]
}
}
],
"version": 1,
"version": 2,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [

414
clusters/threat-actor.json
View File

@ -9,7 +9,8 @@
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
"TG-8223"
"TG-8223",
"Comment Group"
],
"country": "CN",
"refs": [
@ -162,14 +163,15 @@
{
"meta": {
"synonyms": [
"DUBNIUM"
"DUBNIUM",
"Fallout Team"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2"
]
},
"value": "darkhotel"
"value": "DarkHotel"
},
{
"meta": {
@ -254,12 +256,15 @@
"Group72",
"Tailgater",
"Ragebeast",
"Blackfly"
"Blackfly",
"Lead",
"Wicked Spider"
],
"country": "CN",
"refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
"http://williamshowalter.com/a-universal-windows-bootkit/"
"http://williamshowalter.com/a-universal-windows-bootkit/",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Axiom"
@ -289,7 +294,6 @@
"meta": {
"synonyms": [
"PLA Unit 78020",
"APT 30",
"Override Panda",
"Camerashy",
"APT.Naikon"
@ -360,7 +364,8 @@
"APT 10",
"menuPass",
"happyyongzi",
"POTASSIUM"
"POTASSIUM",
"DustStorm"
],
"country": "CN"
},
@ -411,7 +416,8 @@
"GREF",
"Playful Dragon",
"APT 15",
"Metushy"
"Metushy",
"Social Network Team"
],
"country": "CN",
"refs": [
@ -431,9 +437,11 @@
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
]
],
"motive": "Espionage"
},
"value": "Anchor Panda"
"value": "Anchor Panda",
"description": "PLA Navy"
},
{
"meta": {
@ -449,7 +457,7 @@
},
{
"meta": {
"synomyns": [
"synonyms": [
"IceFog",
"Dagger Panda"
],
@ -458,7 +466,8 @@
"https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"
]
},
"value": "Ice Fog"
"value": "Ice Fog",
"description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well."
},
{
"meta": {
@ -466,9 +475,13 @@
"PittyTiger",
"MANGANESE"
],
"country": "CN"
"country": "CN",
"refs": [
"http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2"
]
},
"value": "Pitty Panda"
"value": "Pitty Panda",
"description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials"
},
{
"value": "Roaming Tiger",
@ -498,16 +511,13 @@
},
{
"meta": {
"country": "CN"
"country": "CN",
"synonyms": [
"Shrouded Crossbow"
]
},
"value": "Radio Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Dagger Panda"
},
{
"value": "APT.3102",
"meta": {
@ -543,6 +553,9 @@
{
"meta": {
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/"
],
"synonyms": [
"APT20",
"APT 20",
@ -581,6 +594,9 @@
{
"meta": {
"country": "CN",
"refs": [
"https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
],
"synonyms": [
"APT23",
"KeyBoy"
@ -597,9 +613,13 @@
"AjaxSecurityTeam",
"Ajax Security Team",
"Group 26"
],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf"
]
},
"value": "Flying Kitten"
"value": "Flying Kitten",
"description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry."
},
{
"meta": {
@ -623,10 +643,15 @@
"synonyms": [
"Newscaster",
"Parastoo",
"Group 83"
"Group 83",
"Newsbeef"
],
"refs": [
"https://en.wikipedia.org/wiki/Operation_Newscaster"
]
},
"value": "Charming Kitten"
"value": "Charming Kitten",
"description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors."
},
{
"meta": {
@ -638,7 +663,7 @@
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
]
},
"description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"value": "Magic Kitten"
},
{
@ -664,13 +689,18 @@
"meta": {
"country": "IR",
"synonyms": [
"Operation Cleaver"
"Operation Cleaver",
"Tarh Andishan",
"Alibaba",
"2889",
"TG-2889"
],
"refs": [
"http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
},
"value": "Cleaver"
"value": "Cleaver",
"description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies."
},
{
"meta": {
@ -683,9 +713,11 @@
"country": "TN",
"synonyms": [
"FallagaTeam"
]
],
"motive": "Hacktivism-Nationalist"
},
"value": "Rebel Jackal"
"value": "Rebel Jackal",
"description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region."
},
{
"meta": {
@ -708,7 +740,7 @@
"TG-4127",
"Group-4127",
"STRONTIUM",
"Grey-Cloud"
"TAG_0700"
],
"country": "RU",
"refs": [
@ -755,7 +787,10 @@
"WRAITH",
"Turla Team",
"Uroburos",
"Pfinet"
"Pfinet",
"TAG_0530",
"KRYPTON",
"Hippo Team"
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
@ -789,7 +824,8 @@
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh"
"Quedagh",
"Voodoo Bear"
],
"country": "RU",
"refs": [
@ -801,7 +837,9 @@
{
"meta": {
"country": "RU",
"refs": ["http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"]
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"
]
},
"value": "TeleBots",
"description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group."
@ -812,7 +850,11 @@
"Carbanak",
"Carbon Spider"
],
"country": "RU"
"country": "RU",
"refs": [
"https://en.wikipedia.org/wiki/Carbanak"
],
"motive": "Cybercrime"
},
"description": "Groups targeting financial organizations or people with significant financial assets.",
"value": "Anunak"
@ -821,7 +863,8 @@
"meta": {
"synonyms": [
"TeamSpy",
"Team Bear"
"Team Bear",
"Berserk Bear"
],
"country": "RU",
"refs": [
@ -847,7 +890,10 @@
},
{
"meta": {
"country": "RO"
"country": "RO",
"synonyms": [
"FIN4"
]
},
"value": "Wolf Spider"
},
@ -855,13 +901,15 @@
"meta": {
"country": "RU"
},
"value": "Boulder Bear"
"value": "Boulder Bear",
"description": "First observed activity in December 2013."
},
{
"meta": {
"country": "RU"
},
"value": "Shark Spider"
"value": "Shark Spider",
"description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets."
},
{
"meta": {
@ -877,7 +925,10 @@
"meta": {
"country": "KP",
"synonyms": [
"OperationTroy"
"OperationTroy",
"Guardian of Peace",
"GOP",
"WHOis Team"
],
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
@ -903,7 +954,10 @@
"Appin",
"OperationHangover"
],
"country": "IN"
"country": "IN",
"refs": [
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
]
},
"value": "Viceroy Tiger"
},
@ -930,10 +984,14 @@
"value": "SNOWGLOBE",
"meta": {
"country": "FR",
"refs": [
"https://securelist.com/blog/research/69114/animals-in-the-apt-farm/"
],
"synonyms": [
"Animal Farm"
]
}
},
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
},
{
"meta": {
@ -963,21 +1021,28 @@
"description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro."
},
{
"meta": {
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"country": "UAE",
"synonyms": [
"FruityArmor"
],
"country": "UAE"
},
"value": "Stealth Falcon",
"description": "Group targeting Emirati journalists, activists, and dissidents."
},
{
"meta": {
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
],
]
},
"value": "ScarCruft",
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer."
},
@ -985,7 +1050,12 @@
"meta": {
"refs": [
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
]
],
"synonyms": [
"Skipper",
"Popeye"
],
"country": "RU"
},
"value": "Pacifier APT",
"description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail."
@ -1008,7 +1078,8 @@
"synonyms": [
"Chinastrats",
"Patchwork",
"Monsoon"
"Monsoon",
"Sarit"
],
"refs": [
"https://securelist.com/blog/research/75328/the-dropping-elephant-actor/",
@ -1043,7 +1114,8 @@
"refs": [
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/",
"https://attack.mitre.org/wiki/Groups"
]
],
"country": "BR"
},
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.",
"value": "Poseidon Group"
@ -1064,6 +1136,10 @@
},
{
"meta": {
"synonyms": [
"TG-3390",
"Emissary Panda"
],
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://attack.mitre.org"
@ -1089,10 +1165,16 @@
{
"meta": {
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://attack.mitre.org/wiki/Group/G0013"
],
"synonyms": [
"APT30"
],
"country": "CN"
},
"value": "APT30"
"value": "APT 30",
"description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
},
{
"meta": {
@ -1105,7 +1187,8 @@
"meta": {
"refs": [
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
]
],
"country": "RU"
},
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.",
"value": "GCMAN"
@ -1114,7 +1197,8 @@
"meta": {
"refs": [
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
],
"country": "CN"
},
"description": "Suckfly is a China-based threat group that has been active since at least 2014",
"value": "Suckfly"
@ -1135,14 +1219,6 @@
"description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
"value": "Libyan Scorpions"
},
{
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
]
},
"value": "StrongPity"
},
{
"meta": {
"synonyms": [
@ -1159,9 +1235,11 @@
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
]
],
"country": "IR"
},
"value": "OilRig"
"value": "OilRig",
"description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015."
},
{
"meta": {
@ -1175,50 +1253,238 @@
{
"meta": {
"synonyms": [
"Grey-Pro",
"Coldriver",
"Reuse team",
"Malware reusers",
"Callisto Group"
"Dancing Salome"
]
},
"description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
"value": "Callisto"
"value": "Malware reusers"
},
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
}
},
{
"value": "Molerats",
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": ["https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"],
"synonyms": ["Gaza Hackers Team", "Operation Molerats"]
}},
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
],
"synonyms": [
"Gaza Hackers Team",
"Operation Molerats",
"Extreme Jackal",
"Moonlight"
]
}
},
{
"value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
],
"synonyms": [
"StrongPity"
],
"country": "TU"
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "Packrat",
"description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.",
"meta": {
"refs": ["https://citizenlab.org/2015/12/packrat-report/"]
"refs": [
"https://citizenlab.org/2015/12/packrat-report/"
]
}
},
{
"value": "Cadelle",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
],
"country": "IR"
}
},
{
"value": "Chafer",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
],
"country": "IR"
}
},
{
"value": "PassCV",
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on. ",
"meta": {
"refs": [
"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
],
"country": "CN"
}
},
{
"value": "Sath-ı Müdafaa",
"description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.",
"meta": {
"country": "TU",
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "Aslan Neferler Tim",
"description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the groups site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkeys policies or leadership, and purports to act in defense of Islam",
"meta": {
"country": "TU",
"synonyms": [
"Lion Soldiers Team",
"Phantom Turk"
],
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "Ayyıldız Tim",
"description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.",
"meta": {
"country": "TU",
"synonyms": [
"Crescent and Star"
],
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "TurkHackTeam",
"description": "Founded in 2004, Turkhackteam is one of Turkeys oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteams forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ",
"meta": {
"country": "TU",
"synonyms": [
"Turk Hack Team"
],
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "Equation Group",
"description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame",
"meta": {
"country": "US",
"refs": [
"https://en.wikipedia.org/wiki/Equation_Group"
]
}
},
{
"value": "Greenbug",
"description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
]
}
},
{
"value": "Gamaredon Group",
"description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
]
}
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Zhenbao"
],
"refs": [
"http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242"
]
},
"value": "Hammer Panda",
"description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia."
},
{
"meta": {
"country": "CHN",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Barium",
"description": "Barium is one of the groups using Winnti."
},
{
"meta": {
"country": "IRN",
"synonyms": [
"Operation Mermaid"
],
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Infy",
"description": "Infy is a group of suspected Iranian origin."
},
{
"meta": {
"country": "IRN",
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Sima",
"description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora."
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Cloudy Omega"
],
"refs": [
"https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
]
},
"value": "Blue Termite",
"description": "Blue Termite is a group of suspected Chinese origin active in Japan."
},
{
"meta": {
"country": "UKR",
"refs": [
"http://www.welivesecurity.com/2016/05/18/groundbait"
]
},
"value": "Groundbait",
"description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk Peoples Republics."
}
],
"name": "Threat actor",
@ -1233,5 +1499,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 7
"version": 17
}

1779
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

7
galaxies/preventive-measure.json Normal file
View File

@ -0,0 +1,7 @@
{
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 1,
"uuid": "8168995b-adcd-4684-9e37-206c5771505a"
}

7
galaxies/ransomware.json Normal file
View File

@ -0,0 +1,7 @@
{
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 1,
"name": "Ransomware",
"uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078"
}

30
jq_all_the_things.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Seeds sponge, from moreutils
#Validate all Jsons first
for dir in `find . -name "*.json"`
do
echo validating ${dir}
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
done
set -e
set -x
for dir in clusters/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
done
for dir in galaxies/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
done
cat schema_clusters.json | jq . | sponge schema_clusters.json
cat schema_galaxies.json | jq . | sponge schema_galaxies.json

121
schema_clusters.json Normal file
View File

@ -0,0 +1,121 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
},
"source": {
"type": "string"
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
},
"meta": {
"type": "object",
"additionalProperties": false,
"properties": {
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"synonyms": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"derivated_from": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
},
"country": {
"type": "string"
},
"effectiveness": {
"type": "string"
},
"complexity": {
"type": "string"
},
"type": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"impact": {
"type": "string"
},
"motive": {
"type": "string"
},
"colour": {
"type": "string"
},
"possible_issues": {
"type": "string"
}
}
}
},
"required": [
"value"
]
}
},
"authors": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"description",
"type",
"version",
"name",
"uuid",
"values",
"authors",
"source"
]
}

31
schema_galaxies.json Normal file
View File

@ -0,0 +1,31 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
}
},
"required": [
"description",
"type",
"version",
"name",
"uuid"
]
}

51
tools/chk_dup.py Executable file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tools to find duplicate in galaxies
"""
import json
import os
import collections
def loadjsons(path):
"""
Find all Jsons and load them in a dict
"""
files = []
data = []
for name in os.listdir(path):
if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'):
files.append(name)
for jfile in files:
data.append(json.load(open("%s/%s" % (path, jfile))))
return data
if __name__ == '__main__':
"""
Iterate all name + synonyms
tell what is duplicated.
"""
jsons = loadjsons("../clusters")
counter = collections.Counter()
namespace = []
for djson in jsons:
items = djson.get('values')
for entry in items:
name = entry.get('value').strip().lower()
counter[name]+=1
namespace.append([name, djson.get('name')])
try:
for synonym in entry.get('meta').get('synonyms'):
name = synonym.strip().lower()
counter[name]+=1
namespace.append([name, djson.get('name')])
except (AttributeError, TypeError):
pass
counter = dict(counter)
for key, val in counter.items():
if val>1:
print ("Warning duplicate %s" % key)
for item in namespace:
if item[0]==key:
print (item)

87
tools/csv_to_galaxy.py Normal file
View File

@ -0,0 +1,87 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import csv
import argparse
import uuid
import json
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='CSV to Galaxy')
parser.add_argument("-c", "--csv", required=True, help="input csv")
parser.add_argument("-v", "--value", type=int, required=True, help="number of the column with the value")
parser.add_argument("-e", "--value_description", type=int, nargs='+', help="number of the column with description, if not defined, all other data wil be concataned")
parser.add_argument("-w", "--version", type=int, help="version of the galaxy")
parser.add_argument("-d", "--description", help="description of the galaxy")
parser.add_argument("-a", "--authors", nargs='+', help="author of the galaxy")
parser.add_argument("-s", "--source", help="source of the galaxy")
parser.add_argument("-t", "--type", help="type of galaxy, also the name of the generated json")
parser.add_argument("-n", "--name", help="name of the galaxy")
parser.add_argument("-u", "--title", action='store_true', help="set it if the first line contains the name of the columns")
args = parser.parse_args()
values = []
if args.title is None:
args.title = False
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
for data in csvreader:
if args.title:
args.title = False
continue
temp = {}
temp["value"] = data[args.value]
temp["description"] = ""
if args.value_description is not None:
for i in args.value_description:
if data[i] != "":
temp["description"] = temp["description"] + data[i].replace('\n', ' ') + "; "
else:
for i in range(len(data)):
if i != args.value and data[i] != "":
temp["description"] = temp["description"] + data[i] + "; "
values.append(temp)
galaxy = {}
galaxy["values"] = values
if args.version is not None:
galaxy["version"] = args.version
else:
galaxy["version"] = 1
galaxy["uuid"] = str(uuid.uuid4())
if args.description is not None:
galaxy["description"] = args.description
else:
galaxy["description"] = "automagically generated galaxy"
if args.authors is not None:
galaxy["authors"] = []
for author in args.authors:
galaxy["authors"].append(author)
else:
galaxy["authors"] = ["Various"]
if args.source is not None:
galaxy["source"] = args.source
else:
galaxy["source"] = "source"
if args.type is not None:
galaxy["type"] = args.type
else:
galaxy["type"] = "type"
if args.name is not None:
galaxy["name"] = args.name
else:
galaxy["name"] = "name"
print (galaxy)
with open(args.type+'.json', 'w') as outfile:
json.dump(galaxy, outfile)

50
validate_all.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# This file launch all validation of the jsons and schemas
# By default, It stop on file not commited.
# you could test with command ./validate_all.sh something
# Check Jsons format, and beautify
./jq_all_the_things.sh
rc=$?
if [[ $rc != 0 ]]; then
exit $rc
fi
set -e
set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
if [ $# -eq 0 ]; then
exit 1
fi
fi
# Validate schemas
for dir in clusters/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_clusters.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done
for dir in galaxies/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_galaxies.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done