add notpetya and update jadeRAT

2018-09-19 15:06:43 +02:00 · 2018-09-19 15:06:43 +02:00 · 3f22dbd17d
parent 058f778e61
commit 3f22dbd17d
2 changed files with 44 additions and 4 deletions
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -20,10 +20,20 @@
      "value": "TeamViewer"
    },
    {
-      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains.",
+      "description": "JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.   ",
      "meta": {
        "refs": [
-          "https://blog.lookout.com/mobile-threat-jaderat"
+          "https://blog.lookout.com/mobile-threat-jaderat",
+          "https://www.cfr.org/interactive/cyber-operations/jaderat"
+        ],
+        "cfr-suspected-victims": [
+          "Ethnic minorities in China"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government",
+          "Civil society"
        ]
      },
      "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926",
@ -2914,5 +2924,5 @@
      "value": "Hallaj PRO RAT"
    }
  ],
-  "version": 14
+  "version": 15
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -5747,13 +5747,43 @@
    },
    {
      "value": "MagentoCore Malware",
-      "description":"A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
+      "description": "A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.\nThe script is what industry experts call a \"payment card scraper\" or \"skimmer.\" Hackers breach sites and modify their source code to load the script along with its legitimate files.\nThe script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.",
      "meta": {
        "refs": [
          "https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/"
        ]
      },
      "uuid": "df05f528-bb57-11e8-9fd4-8320e14151f2"
+    },
+    {
+      "value": "NotPetya",
+      "description": "Threat actors deploy a tool, called NotPetya, with the purpose of encrypting data on victims' machines and rendering it unusable. The malware was spread through tax software that companies and individuals require for filing taxes in Ukraine. Australia, Estonia, Denmark, Lithuania, Ukraine, the United Kingdom, and the United States issued statements attributing NotPetya to Russian state-sponsored actors. In June 2018, the United States sanctioned Russian organizations believed to have assisted the Russian state-sponsored actors with the operation.",
+      "meta": {
+        "refs": [
+          "https://www.cfr.org/interactive/cyber-operations/notpetya"
+        ],
+        "synonyms": [
+          "Not Petya"
+        ],
+        "cfr-suspected-victims": [
+          "Rosneft",
+          "Cie de Saint-Gobain",
+          "Mondelez",
+          "The government of Ukraine",
+          "WPP Plc.",
+          "SNCF",
+          "Port of Rosario",
+          "Maersk",
+          "Merck",
+          "Kyivenergo"
+        ],
+        "cfr-suspected-state-sponsor": "Russian Federation",
+        "cfr-type-of-incident": "Data destruction",
+        "cfr-target-category": [
+          "Government",
+          "Private sector"
+        ]
+      }
    }
  ],
  "version": 88