merge

clusters/exploit-kit.json

@@ -749,7 +749,17 @@
       },
       "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2",
       "value": "Unknown"
+    },
+    {
+      "description": "The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.",
+      "meta": {
+        "refs": [
+          "https://cyberwarzone.com/what-is-the-spelevo-exploit-kit/"
+        ]
+      },
+      "uuid": "00715961-2249-3e2e-8420-bb47feb73bb2",
+      "value": "SpelevoEK"
     }
   ],
-  "version": 13
+  "version": 14
 }

clusters/ransomware.json

@@ -13064,7 +13064,82 @@
       },
       "uuid": "8cfa694b-3e6b-410a-828f-037d981870b2",
       "value": "Jokeroo"
+    },
+    {
+      "description": "During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "price": "0.35",
+        "refs": [
+          "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html"
+        ]
+      },
+      "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2",
+      "value": "GlobeImposter"
+    },
+    {
+      "description": "BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "price": "200 $",
+        "refs": [
+          "https://spyware-techie.com/blackworm-ransomware-removal-guide"
+        ]
+      },
+      "uuid": "8cfa694a-2e5b-300a-727f-027d881870b2",
+      "value": "BlackWorm"
+    },
+    {
+      "description": "Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "price": "0.2",
+        "refs": [
+          "https://malware.wikia.org/wiki/Tellyouthepass"
+        ]
+      },
+      "uuid": "7cfa694a-1e5b-300a-627f-027d881870b1",
+      "value": "Tellyouthepass"
+    },
+    {
+      "description": "BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "refs": [
+          "https://www.2-spyware.com/remove-bigbobross-ransomware.html"
+        ]
+      },
+      "uuid": "8cfa684a-1e4b-309a-617f-026d881870b1",
+      "value": "BigBobRoss"
+    },
+    {
+      "description": "First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "refs": [
+          "https://www.pcrisk.com/removal-guides/12121-planetary-ransomware"
+        ]
+      },
+      "uuid": "6cfa664a-1e2b-329a-607f-026d781870b1",
+      "value": "Planetary"
+    },
+    {
+      "description": "Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "refs": [
+          "https://www.coveware.com/blog/2019/3/13/cr1ptt0r-ransomware-targets-nas-devices-with-old-firmware",
+          "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r"
+        ],
+        "synonyms": [
+          "Criptt0r",
+          "Cr1pt0r",
+          "Cripttor"
+        ]
+      },
+      "uuid": "8cfa554a-1e1b-328a-606f-026d771870b1",
+      "value": "Cr1ptT0r"
     }
   ],
-  "version": 55
+  "version": 60
 }

clusters/rat.json

@@ -3328,7 +3328,27 @@
       },
       "uuid": "1b6a067b-50b9-4aa7-a49b-823e94e210fe",
       "value": "H-worm"
+    },
+    {
+      "description": "The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks"
+        ]
+      },
+      "uuid": "1b6a067c-50ba-4aa7-a59b-824e94e210fe",
+      "value": "Parasite-HTTP-RAT"
+    },
+    {
+      "description": "Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.",
+      "meta": {
+        "refs": [
+          "https://securityonline.info/caesarrat-http-based-rat/"
+        ]
+      },
+      "uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe",
+      "value": "Caesar RAT"
     }
   ],
-  "version": 26
+  "version": 28
 }

clusters/stealer.json

@@ -54,7 +54,29 @@
       },
       "uuid": "a646edab-5c6f-4a79-8a6c-153535259e16",
       "value": "AZORult"
+    },
+    {
+      "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.",
+      "meta": {
+        "date": "Dec 2018.",
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar"
+        ]
+      },
+      "uuid": "a646edaa-4c6f-3a79-7a6c-143535259e15",
+      "value": "Vidar"
+    },
+    {
+      "description": "Information stealer which uses AutoIT for wrapping.",
+      "meta": {
+        "date": "Jan 2019.",
+        "refs": [
+          "https://blog.yoroi.company/research/the-ave_maria-malware/"
+        ]
+      },
+      "uuid": "a546edaa-4c6f-2a79-7a6c-133535249e14",
+      "value": "Ave Maria"
     }
   ],
-  "version": 4
+  "version": 6
 }

clusters/threat-actor.json

@@ -757,7 +757,7 @@
         "country": "CN",
         "refs": [
           "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
-          "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
+          "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
           "https://www.cfr.org/interactive/cyber-operations/apt-30"
         ],
         "synonyms": [
@@ -2887,12 +2887,20 @@
           "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf",
           "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
           "https://www.amnesty.org/en/documents/asa33/8366/2018/en/",
-          "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/"
+          "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/",
+          "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe",
+          "https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf",
+          "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
+          "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf"
         ],
         "synonyms": [
           "C-Major",
           "Transparent Tribe",
-          "Mythic Leopard"
+          "Mythic Leopard",
+          "ProjectM",
+          "APT36",
+          "APT 36",
+          "TMP.Lapis"
         ]
       },
       "related": [
@@ -5756,7 +5764,9 @@
       "description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
       "meta": {
         "refs": [
-          "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/"
+          "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
+          "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
+          "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
         ],
         "synonyms": [
           "DoNot Team"
@@ -6657,5 +6667,5 @@
       "value": "Operation ShadowHammer"
     }
   ],
-  "version": 105
+  "version": 107
 }

clusters/tool.json

@@ -7620,7 +7620,17 @@
       ],
       "uuid": "e1ca79eb-5629-4267-bb37-3992c7126ef4",
       "value": "EVILNUM"
+    },
+    {
+      "description": "Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems.",
+      "meta": {
+        "refs": [
+          "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html"
+        ]
+      },
+      "uuid": "e1ca79ea-5628-4266-bb36-3892c7126ef4",
+      "value": "Brushaloader"
     }
   ],
-  "version": 115
+  "version": 116
 }