From b46f9b68fe7bb1b8358eccc56e336d354ff24740 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 6 Feb 2020 13:39:58 +0100 Subject: [PATCH 1/2] add warzone RAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 2fbafae..91baed8 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3416,7 +3416,17 @@ }, "uuid": "1b4a085c-30bb-5aa5-b46a-803e94e010ff", "value": "InnfiRAT" + }, + { + "description": "Apparently existing since 2018", + "meta": { + "refs": [ + "https://warzone.pw" + ] + }, + "uuid": "bbff39cb-a12b-4b18-be20-aa9e6d378fa6", + "value": "Warzone" } ], - "version": 32 + "version": 33 } From f196bad4a148435dfc18d9d8b95c838842a9a437 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Feb 2020 15:39:16 +0100 Subject: [PATCH 2/2] add tools used by TA505 + others --- clusters/backdoor.json | 11 ++++++++++- clusters/ransomware.json | 15 ++++++++++++++- clusters/tool.json | 15 ++++++++++++++- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index ac2cc9b..70de666 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -90,7 +90,16 @@ }, "uuid": "b7ad60a0-d648-4775-adec-c78b1a92fc34", "value": "Asruex" + }, + { + "meta": { + "refs": [ + "https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/" + ] + }, + "uuid": "aefe3603-8f96-425c-9f71-9fe21334f224", + "value": "FlowerPippi" } ], - "version": 6 + "version": 7 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 550d0b0..238e860 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13696,7 +13696,20 @@ }, "uuid": "000fb0bf-8be3-4ff1-8bbd-cc0513bcdd89", "value": "RobinHood" + }, + { + "description": "Bart ransomware is distributed by the same Russian Cyber Mafia behind Dridex 220 and Locky. Bart doesn't communicate with a command and control (C&C) server, so it can encrypt files without being connected to a computer.\nBart is spread to end users via phishing emails containing .zip attachments with JavaScript Code and use social engineering to trick users into opening the 'photo' attachments. The zipped files are obfuscated to make it more hard to tell what actions they are performing. See screenshot above for an example of what they look like. If opened, these attachments download and install the intermediary loader RockLoader which downloads Bart onto the machine over HTTPS.\nOnce executed, it will first check the language on the infected computer. If the malware detects Russian, Belorussian, or Ukrainian, the ransomware will terminate and will not proceed with the infection. If it's any other language, it will start scanning the computer for certain file extensions to encrypt.\nBecause Bart does not require communication with C&C infrastructure prior to encrypting files, Bart could possibly encrypt machines sitting behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.", + "meta": { + "refs": [ + "https://www.knowbe4.com/bart-ransomware" + ], + "synonyms": [ + "Locky Bart" + ] + }, + "uuid": "05d5263f-ec23-4279-bb98-55fc233d7e89", + "value": "Bart ransomware" } ], - "version": 79 + "version": 80 } diff --git a/clusters/tool.json b/clusters/tool.json index cb02fa6..19c1e7d 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7965,7 +7965,20 @@ }, "uuid": "e537e165-ea8b-4e75-8813-6519632d3f6a", "value": "LiquorBot" + }, + { + "description": "Written in C++ and designed to function as a downloader of other malware, Gelup stood out for its obfuscation techniques. Gelup can also bypass User Account Control (UAC) by mocking trusted directories, abusing auto-elevated executables and using the Dynamic Link Library (DLL) side-loading technique.", + "meta": { + "refs": [ + "https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/" + ], + "synonyms": [ + "AndroMut" + ] + }, + "uuid": "32a6065c-4f4e-4a60-8717-5872b5f21ac4", + "value": "Gelup malware tool" } ], - "version": 132 + "version": 133 }