From 12e0af9fa2d6264cdcb7d70f2add6843b9968962 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 8 Dec 2017 15:45:44 +0100 Subject: [PATCH 1/2] add malware/ransomwares --- clusters/ransomware.json | 32 +++++++++++++++++++++++++++++++- clusters/tool.json | 12 +++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 3aa2a4a..8423b01 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8634,12 +8634,42 @@ ".fucku" ] } + }, + { + "value": "qkG", + "description": "Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/" + ] + } + }, + { + "value": "Scarab", + "description": "The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year.\nWritten in Delphi, the first version was simplistic and was recognizable via the \".scarab\" extension it appended after the names of encrypted files.\nMalwarebytes researcher Marcelo Rivera spotted a second version in July that used the \".scorpio\" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension.\nThe current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file's name with the \".[suupport@protonmail.com].scarab\" extension.\nScarab also deletes shadow volume copies and drops a ransom note named \"IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT\" on users' computers, which it opens immediately.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/", + "https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/", + "https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware", + "https://twitter.com/malwrhunterteam/status/933643147766321152", + "https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/" + ], + "extensions": [ + ".scarab", + ".scorpio", + ".[suupport@protonmail.com].scarab" + ], + "ransomnotes":[ + "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" + ] + } } ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "name": "Ransomware", - "version": 4, + "version": 5, "type": "ransomware", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar" } diff --git a/clusters/tool.json b/clusters/tool.json index 8365ee8..a606f95 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 38, + "version": 39, "values": [ { "meta": { @@ -3083,6 +3083,16 @@ "HSDFSDCrypt" ] } + }, + { + "value": "wp-vcd", + "description": "WordPress site owners should be on the lookout for a malware strain tracked as wp-vcd that hides in legitimate WordPress files and that is used to add a secret admin user and grant attackers control over infected sites.\nThe malware was first spotted online over the summer by Italian security researcher Manuel D'Orso.\nThe initial version of this threat was loaded via an include call for the wp-vcd.php file —hence the malware's name— and injected malicious code into WordPress core files such as functions.php and class.wp.php. This was not a massive campaign, but attacks continued throughout the recent months.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", + "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/" + ] + } } ] } From 16398ed750b166f8ce92862ad4f0512a49b0d0b0 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 8 Dec 2017 15:48:59 +0100 Subject: [PATCH 2/2] jq --- clusters/ransomware.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 8423b01..7b2cdea 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8660,7 +8660,7 @@ ".scorpio", ".[suupport@protonmail.com].scarab" ], - "ransomnotes":[ + "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" ] }