From cd532724700df0c0fa7163cc9858da238261bae6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 3 Jul 2018 11:16:19 +0200 Subject: [PATCH 1/7] chg: RANCOR group added --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 943706b5..b8786e06 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2711,6 +2711,16 @@ ] }, "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s" + }, + { + "value": "RANCOR", + "description": "The Rancor group’s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" + ] + }, + "uuid": "14e7266a-6dd8-4000-8951-4bd93e357d4b" } ], "name": "Threat actor", @@ -2725,5 +2735,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 43 + "version": 44 } From fa8d0e35f684e48b177f3b198acbb5bad30740f9 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 6 Jul 2018 11:00:11 +0100 Subject: [PATCH 2/7] [add] x1 new entry in stealer.json - AZORult --- clusters/stealer.json | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 8fbf92ca..23cedcaa 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -1,8 +1,8 @@ { "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", - "description": "A list of malware stealer.", + "name": "Stealer", "source": "Open Sources", - "version": 1, + "version": 2, "values": [ { "meta": { @@ -25,11 +25,24 @@ "description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.", "value": "TeleGrab", "uuid": "a6780288-24eb-4006-9ddd-062870c6feec" + }, + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://blog.minerva-labs.com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layers", + "https://malware.lu/articles/2018/05/04/azorult-stealer.html" + ] + }, + "description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.", + "value": "AZORult", + "uuid": "a646edab-5c6f-4a79-8a6c-153535259e16" } ], "authors": [ "raw-data" ], "type": "stealer", - "name": "Stealer" + "description": "A list of malware stealer." } From 6f7a7921ae9d0e9cf3d364cde84887e93146fc62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 6 Jul 2018 15:25:05 +0200 Subject: [PATCH 3/7] new: Add entries from Bambenek Consulting --- clusters/banker.json | 66 +++++++++++++++++++++++++++++++++++++++- clusters/botnet.json | 64 +++++++++++++++++++++++++++++++++++++- clusters/ransomware.json | 9 ++++++ 3 files changed, 137 insertions(+), 2 deletions(-) diff --git a/clusters/banker.json b/clusters/banker.json index 1f0ad4fb..725f3d56 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -2,7 +2,7 @@ "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "description": "A list of banker malware.", "source": "Open Sources", - "version": 9, + "version": 10, "values": [ { "meta": { @@ -595,6 +595,70 @@ "value": "Backswap", "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0" }, + { + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A", + "https://www.symantec.com/security-center/writeup/2011-041411-0912-99" + ], + "synonyms": [ + "URLZone", + "Shiotob" + ] + }, + "value": "Bebloh", + "uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" + ], + "synonyms": [ + "MultiBanker 2", + "BankPatch", + "BackPatcher" + ] + }, + "value": "Banjori", + "uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52" + }, + { + "meta": { + "refs": [ + "https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/" + ] + }, + "value": "Qadars", + "uuid": "a717c873-6670-447a-ba98-90db6464c07d" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" + ] + }, + "value": "Sisron", + "uuid": "610a136c-820d-4f5f-b66c-ae298923dc55" + }, + { + "meta": { + "refs": [ + "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/" + ] + }, + "value": "Ranbyus", + "uuid": "6720f960-0382-479b-a0f8-f9e008995af4" + }, + { + "meta": { + "refs": [ + "https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks" + ] + }, + "value": "Fobber", + "uuid": "da124511-463c-4514-ad05-7ec8db1b38aa" + }, { "meta": { "refs": [ diff --git a/clusters/botnet.json b/clusters/botnet.json index 7bf90bdb..86c37240 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2,7 +2,7 @@ "description": "botnet galaxy", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "source": "MISP Project", - "version": 6, + "version": 7, "values": [ { "meta": { @@ -629,6 +629,68 @@ }, "value": "Trik Spam Botnet", "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501" + }, + { + "meta": { + "refs": [ + "https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml" + ], + "synonyms": [ + "Mad Max" + ] + }, + "value": "Madmax", + "uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66" + }, + { + "meta": { + "refs": [ + "https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/" + ] + }, + "value": "Pushdo", + "uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0" + }, + { + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA15-105A" + ] + }, + "value": "Simda", + "uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c" + }, + { + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Virut" + ] + }, + "value": "Virut", + "uuid": "cc1432a1-6580-4338-b119-a43236528ea1" + }, + { + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions" + ] + }, + "value": "Beebone", + "uuid": "49b13880-9baf-4ae0-9171-814094b03d89" + }, + { + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital", + "https://www.symantec.com/security-center/writeup/2010-070108-5941-99" + ], + "synonyms": [ + "Mdrop-CSK", + "Agent-OCF" + ] + }, + "value": "Bamital", + "uuid": "07815089-e2c6-4084-9a62-3ece7210f33f" } ], "authors": [ diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 39a82cf7..e64aa02c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9974,6 +9974,15 @@ }, "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2" }, + { + "value": "DirCrypt", + "meta": { + "refs": [ + "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" + ] + }, + "uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf" + }, { "value": "DBGer Ransomware", "description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.", From 77cfaa8221380109ada0a589c2ef0165a0063967 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 6 Jul 2018 20:09:52 +0100 Subject: [PATCH 4/7] [add] new backdoor galaxy and cluster --- clusters/backdoor.json | 24 ++++++++++++++++++++++++ galaxies/backdoor.json | 9 +++++++++ 2 files changed, 33 insertions(+) create mode 100644 clusters/backdoor.json create mode 100644 galaxies/backdoor.json diff --git a/clusters/backdoor.json b/clusters/backdoor.json new file mode 100644 index 00000000..c0d2adb5 --- /dev/null +++ b/clusters/backdoor.json @@ -0,0 +1,24 @@ +{ + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "description": "A list of backdoor malware.", + "source": "Open Sources", + "version": 1, + "values": [ + { + "meta": { + "date": "July 2018.", + "refs": [ + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" + ] + }, + "description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.", + "value": "WellMess", + "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd" + } + ], + "authors": [ + "raw-data" + ], + "type": "backdoor", + "name": "Backdoor" +} diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json new file mode 100644 index 00000000..6504c9c0 --- /dev/null +++ b/galaxies/backdoor.json @@ -0,0 +1,9 @@ +{ + "description": "Malware Backdoor galaxy.", + "type": "backdoor", + "version": 1, + "name": "Backdoor", + "icon": "door-open", + "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", + "namespace": "misp" +} From d35395445fbd94275227142b65c4a5823ad69652 Mon Sep 17 00:00:00 2001 From: raw-data Date: Fri, 6 Jul 2018 20:10:51 +0100 Subject: [PATCH 5/7] [add] new backdoor cluster --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 30bff4a0..a04ab83c 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ to localized information (which is not shared) or additional information (that c - [clusters/android.json](clusters/android.json) - Android malware galaxy based on multiple open sources. - [clusters/banker.json](clusters/banker.json) - A list of banker malware. - [clusters/stealer.json](clusters/stealer.json) - A list of malware stealer. +- [clusters/backdoor.json](clusters/backdoor.json) - A list of backdoor malware. - [clusters/botnet.json](clusters/botnet.json) - A list of known botnets. - [clusters/branded_vulnerability.json](clusters/branded_vulnerability.json) - List of known vulnerabilities and exploits. - [clusters/exploit-kit.json](clusters/exploit-kit.json) - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits. It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years. From 43a2c7f0efd01bc0ab35ac611277c426b7629001 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Jul 2018 14:25:19 +0200 Subject: [PATCH 6/7] chg: [botnet] Xor DDoS added --- clusters/botnet.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 86c37240..a7862a88 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2,7 +2,7 @@ "description": "botnet galaxy", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "source": "MISP Project", - "version": 7, + "version": 8, "values": [ { "meta": { @@ -513,6 +513,16 @@ "value": "Mirai", "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185" }, + { + "value": "XorDDoS", + "uuid": "5485d149-79b5-451e-b48c-a020eced3515", + "description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Xor_DDoS" + ] + } + }, { "meta": { "refs": [ From 98db303047030408a1195e6f490ed910babe54ef Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 08:49:00 +0200 Subject: [PATCH 7/7] chg: [threat-actor] The Big Bang campaign/group added --- clusters/threat-actor.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0a31ff7e..a500a71b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2801,6 +2801,16 @@ ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b" + }, + { + "value": "The Big Bang", + "description": "While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.", + "meta": { + "refs": [ + "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" + ] + } } ], "name": "Threat actor", @@ -2815,5 +2825,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 44 + "version": 45 }