MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #36 from Th4nat0s/gutembergII 

Gutemberg II
pull/37/head
Alexandre Dulaunoy 2017-02-27 10:19:45 +01:00 committed by GitHub
parent 8e1cd6364e 07cc13feb8
commit 1f4db6d4a1
2 changed files with 565 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
clusters/threat-actor.json
View File

@ -9,7 +9,8 @@
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
"TG-8223"
"TG-8223",
"Comment Group"
],
"country": "CN",
"refs": [
@ -670,7 +671,9 @@
"synonyms": [
"Operation Cleaver",
"Tarh Andishan",
"Alibaba"
"Alibaba",
"2889",
"TG-2889"
],
"refs": [
"http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
@ -1100,6 +1103,10 @@
},
{
"meta": {
"synonyms": [
"TG-3390",
"Emissary Panda"
],
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://attack.mitre.org"

584
clusters/tool.json
View File

@ -233,7 +233,8 @@
"Jorik"
],
"refs": [
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf",
"https://github.com/kevthehermit/RATDecoders/blob/master/yaraRules/njRat.yar"
],
"type": [
"Backdoor"
@ -355,10 +356,37 @@
}
},
{
"value": "NetTraveler"
"value": "NetTraveler",
"description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.",
"meta": {
"synonyms": [
"TravNet",
"Netfile"
],
"refs": [
"https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/"
],
"type": [
"Backdoor"
]
}
},
{
"value": "Winnti"
"value": "Winnti",
"description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.",
"meta": {
"synonyms": [
"Etso",
"SUQ",
"Agent.ALQHI"
],
"refs": [
"https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/"
],
"type": [
"Backdoor"
]
}
},
{
"value": "Mimikatz",
@ -376,33 +404,104 @@
}
},
{
"value": "WEBC2"
},
{
"value": "Pirpi",
"value": "WEBC2",
"description": "Backdoor attribued to APT1",
"meta": {
"refs": [
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
"https://github.com/gnaegle/cse4990-practical3",
"https://www.securestate.com/blog/2013/02/20/apt-if-it-aint-broke"
],
"type": [
"Backdoor"
]
}
},
{
"value": "RARSTONE"
"value": "Pirpi",
"description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organizations network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.",
"meta": {
"synonyms": [
"Badey",
"EXL"
],
"refs": [
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
],
"type": [
"Backdoor"
]
}
},
{
"value": "BACKSPACe"
"value": "RARSTONE",
"description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, its characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/"
],
"type": [
"Backdoor"
]
}
},
{
"value": "XSControl"
"value": "Backspace",
"description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).",
"meta": {
"synonyms": [
"Lecna"
],
"refs": [
"https://www2.fireeye.com/WEB-2015RPTAPT30.html",
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf"
],
"type": [
"Backdoor"
]
}
},
{
"value": "NETEAGLE"
"value": "XSControl",
"description": "Backdoor user by he Naikon APT group",
"meta": {
"refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://kasperskycontenthub.com/securelist/files/2015/05/TheNaikonAPT-MsnMM.pdf"
],
"type": [
"Backdoor"
]
}
},
{
"value": "Neteagle",
"description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0034",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"scout",
"norton"
],
"type": [
"Backdoor"
]
}
},
{
"value": "Agent.BTZ",
"description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.",
"meta": {
"synonyms": [
"ComRat"
],
"refs": [
"https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-from-agent-btz-to-comrat"
],
"type": [
"Backdoor"
]
}
},
@ -419,18 +518,36 @@
"meta": {
"synonyms": [
"Tavdig",
"Epic Turla"
"Epic Turla",
"WorldCupSec",
"TadjMakhal"
],
"refs": [
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf"
],
"type": [
"Backdoor"
]
}
},
{
"value": "Turla"
},
{
"value": "Uroburos"
"value": "Turla",
"description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature anagram of Ultra (Ultra3) was a name of the fake driver).",
"meta": {
"synonyms": [
"Snake",
"Uroburos",
"Urouros"
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf"
],
"type": [
"Backdoor",
"Rootkit"
]
}
},
{
"value": "Winexe"
@ -439,10 +556,6 @@
"value": "Dark Comet",
"description": "RAT initialy identified in 2011 and still actively used."
},
{
"value": "AlienSpy",
"description": "RAT for Apple OS X platforms"
},
{
"value": "Cadelspy",
"meta": {
@ -518,32 +631,38 @@
},
{
"value": "CHOPSTICK",
"description": "backdoor",
"description": "backdoor used by apt28 ",
"meta": {
"synonyms": [
"Xagent",
"webhp",
"SPLM",
"(.v2 fysbis)"
],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"possible_issues": "Report tells that is could be Xagent alias (Java Rat)",
"type": [
"Backdoor"
]
}
},
{
"value": "EVILTOSS",
"description": "backdoor",
"description": "backdoor used by apt28",
"meta": {
"synonyms": [
"Sedreco",
"AZZY",
"Xagent",
"ADVSTORESHELL",
"NETUI"
],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"possible_issues": "Report tells that is could be Xagent alias (Java Rat)",
"type": [
"Backdoor"
]
}
},
@ -559,6 +678,9 @@
],
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"type": [
"Backdoor"
]
}
},
@ -1057,12 +1179,17 @@
},
{
"value": "X-Agent",
"description": "This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/"
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/",
"https://app.box.com/s/l7n781ig6n8wlf1aff5hgwbh4qoi5jqq"
],
"synonyms": [
"XAgent"
],
"type": [
"Backdoor"
]
}
},
@ -1112,6 +1239,9 @@
"meta": {
"refs": [
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
],
"type": [
"Backdoor"
]
}
},
@ -1121,6 +1251,9 @@
"meta": {
"refs": [
"http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
],
"type": [
"Backdoor"
]
}
},
@ -1385,8 +1518,7 @@
"meta": {
"synonyms": [
"Trojan.Zbot",
"Zbot",
"ZeuS"
"Zbot"
],
"refs": [
"https://en.wikipedia.org/wiki/Zeus_(malware)",
@ -1501,6 +1633,402 @@
]
}
},
{
"value": "adzok",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "albertino",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "arcom",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "blacknix",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "bluebanana",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "bozok",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "clientmesh",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "cybergate",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "darkcomet",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "darkrat",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "gh0st",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "greame",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "hawkeye",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "javadropper",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "lostdoor",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "luxnet",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "pandora",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "poisonivy",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "predatorpain",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "punisher",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "qrat",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "shadowtech",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "smallnet",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "spygate",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "template",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "tapaoux",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "vantom",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "virusrat",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "xena",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "xtreme",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "darkddoser",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "jspy",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "xrat",
"description": "Remote Access Trojan",
"meta": {
"refs": [
"https://github.com/kevthehermit/RATDecoders"
],
"type": [
"Backdoor"
]
}
},
{
"value": "PupyRAT",
"description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.",