Merge pull request #182 from Delta-Sierra/master

Add hajime botnet + update cryptomix (new variant)
2018-04-05 10:53:24 +02:00 · 2018-04-05 10:53:24 +02:00 · 3c33e1c8a3
parent a78972e0ac a0e8e45321
commit 3c33e1c8a3
2 changed files with 21 additions and 6 deletions
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@ -45,7 +45,7 @@
    },
    {
      "value": "Torpig",
-      "description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.",
+      "description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.",
      "meta": {
        "refs": [
          "https://en.wikipedia.org/wiki/Torpig"
@ -529,6 +529,18 @@
        "date": "April 2017"
      },
      "uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa"
+    },
+    {
+      "value": "Hajime",
+      "description": "Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.\nIt is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).",
+      "meta": {
+        "refs": [
+          "https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/",
+          "https://en.wikipedia.org/wiki/Hajime_(malware)",
+          "https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/"
+        ]
+      },
+      "uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67"
    }
  ],
  "name": "Botnet",
@ -539,5 +551,5 @@
  ],
  "description": "botnet galaxy",
  "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
-  "version": 1
+  "version": 2
 }
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -5300,7 +5300,8 @@
          ".XZZX",
          ".TEST",
          ".WORK",
-          ".SYSTEM"
+          ".SYSTEM",
+          ".MOLE66"
        ],
        "ransomnotes": [
          "HELP_YOUR_FILES.html (CryptXXX)",
@ -5314,7 +5315,8 @@
          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number",
          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
          "Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
-          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number"
+          "Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number",
+          "!!!All your files are encrypted!!!\nWhat to decipher write on mail alpha2018a@aol.com\nDo not move or delete files!!!!\n---- Your ID: 5338f74a-3c20-4ac0-9deb-f3a91818cea7 ----\n!!! You have 3 days otherwise you will lose all your data.!!!"
        ],
        "refs": [
          "http://www.nyxbone.com/malware/CryptoMix.html",
@ -5325,7 +5327,8 @@
          "https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/",
          "https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/",
          "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
-          "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/"
+          "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/",
+          "https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/"
        ]
      },
      "uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a"
@ -9367,7 +9370,7 @@
  "source": "Various",
  "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
  "name": "Ransomware",
-  "version": 8,
+  "version": 9,
  "type": "ransomware",
  "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
 }