From 78c1f073590c4ae1822c8508f62934ffb215fab2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 27 Sep 2018 15:42:20 +0200 Subject: [PATCH 1/3] new ransomware and relations --- clusters/exploit-kit.json | 14 ++++++++++++-- clusters/ransomware.json | 27 +++++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index c0cc872..78b25e0 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -44,13 +44,23 @@ "description": "Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.", "meta": { "refs": [ - "https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html" + "https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html", + "https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/" ], "status": "Active", "synonyms": [ "Fallout" ] }, + "related": [ + { + "dest-uuid": "5920464b-e093-4fa0-a275-438dffef228f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "dropped" + } + ], "uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", "value": "Fallout" }, @@ -734,5 +744,5 @@ "value": "Unknown" } ], - "version": 9 + "version": 10 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 764a72e..a8e0011 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9606,9 +9606,19 @@ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/", - "https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/" + "https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/", + "https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/" ] }, + "related": [ + { + "dest-uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "dropped-by" + } + ], "uuid": "5920464b-e093-4fa0-a275-438dffef228f", "value": "GandCrab" }, @@ -10558,7 +10568,20 @@ { "value": "Crypt0saur", "uuid": "32406292-b738-11e8-ab97-1f674b130624" + }, + { + "value": "Mongo Lock", + "description": "An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/" + ], + "ransomnotes": [ + "Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: mongodb@8chan.co for decryption service." + ] + }, + "uuid": "2aa481fe-c254-11e8-ad1c-efee78419960" } ], - "version": 33 + "version": 34 } From fbf21487cf49281c1815bbfece5ff65429555704 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 28 Sep 2018 11:08:21 +0200 Subject: [PATCH 2/3] new clusters and informtion --- clusters/ransomware.json | 3 ++- clusters/threat-actor.json | 5 +++-- clusters/tool.json | 13 +++++++++++++ 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index a8e0011..c3ba744 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -9600,7 +9600,8 @@ "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "---= GANDCRAB =---\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser: http://gdcbmuveqjsli57x.onion/[id]\n5. Follow the instructions on this page\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\nIf you can't download TOR and use it, or in your country TOR blocked, read it:\n1. Visit https://tox.chat/download.html\n2. Download and install qTOX on your PC.\n3. Open it, click \"New Profile\" and create profile.\n4. Search our contact - 6C5AD4057E594E090E0C987B3089F74335DA75F04B7403E0575663C26134956917D193B195A5\n5. In message please write your ID and wait our answer: 6361f798c4ba3647\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!", "ENCRYPTED BY GANDCRAB 3\n\nDEAR [user_name],\n\nYOUR FILES ARE UNDER STRONG PROTECTION BY OUR SOFTWARE. IN ORDER TO RESTORE IT YOU MUST BUY DECRYPTOR\n\nFor further steps read CRAB-DECRYPT.txt that is located in every encrypted folder.", - " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! " + " ---= GANDCRAB V3 =--- \n\nAttention! \n\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .CRAB \n\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. \n\n\nThe server with your key is in a closed network TOR. You can get there by the following ways: \n\n0. Download Tor browser - https://www.torproject.org/ \n\n1. Install Tor browser \n\n2. Open Tor Browser \n\n3. Open link in TOR browser: http://gandcrab2pie73et.onion/[id] \n\n4. Follow the instructions on this page \n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. \n\n\nThe alternative way to contact us is to use Jabber messanger. Read how to:\n0. Download Psi-Plus Jabber Client: https://psi-im.org/download/\n1. Register new account: http://sj.ms/register.php\n0) Enter \"username\": [id]\n1) Enter \"password\": your password\n2. Add new account in Psi\n3. Add and write Jabber ID: ransomware@sj.ms any message\n4. Follow instruction bot \n\nATTENTION!\nIt is a bot! It's fully automated artificial system without human control!\nTo contact us use TOR links. We can provide you all required proofs of decryption availibility anytime. We are open to conversations.\nYou can read instructions how to install and use jabber here http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf \n\nCAUGHTION! \n\nDo not try to modify files or use your own private key. This will result in the loss of your data forever! ", + "https://www.bleepstatic.com/images/news/security/f/fallout-exploit-kit/gandcrab-fallout.jpg" ], "refs": [ "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index caeb116..678d0dc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2062,7 +2062,8 @@ "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", "https://www.cfr.org/interactive/cyber-operations/apt-28", "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", - "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/" + "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", + "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/" ], "synonyms": [ "APT 28", @@ -5877,5 +5878,5 @@ "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a" } ], - "version": 65 + "version": 66 } diff --git a/clusters/tool.json b/clusters/tool.json index 8e86ba4..9637edc 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4142,6 +4142,9 @@ ], "synonyms": [ "Dofoil" + ], + "synonyms": [ + "SmokeLoader" ] }, "related": [ @@ -5809,6 +5812,16 @@ ] }, "uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3" + }, + { + "value": "LoJax", + "description": "rootkit for the Unified Extensible Firmware Interface (UEFI). Used by APT28. The researchers named the rootkit LoJax, after the malicious samples of the LoJack anti-theft software that were discovered earlier this year.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/" + ] + }, + "uuid": "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/" } ], "version": 88 From 97581d71852834a27afae63935f4073b62b9de31 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 28 Sep 2018 11:20:38 +0200 Subject: [PATCH 3/3] jq --- clusters/tool.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 9637edc..7493a83 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -4140,9 +4140,6 @@ "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" ], - "synonyms": [ - "Dofoil" - ], "synonyms": [ "SmokeLoader" ]