mirror of https://github.com/MISP/misp-galaxy
pull/92/head
Deborah Servili
parent
b33014e0dd
commit
4f73184818
|
|
@ -529,8 +529,7 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"http://adzok.com/"
|
||||
],
|
||||
"synonyms":
|
||||
]
|
||||
},
|
||||
"description": "Remote Administrator",
|
||||
"value": "Adzok"
|
||||
|
|
@ -826,7 +825,7 @@
|
|||
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/",
|
||||
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat"
|
||||
],
|
||||
"synonyms":[
|
||||
"synonyms": [
|
||||
"LostDoor"
|
||||
]
|
||||
},
|
||||
|
|
@ -1411,7 +1410,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"value": "VorteX",
|
||||
"value": "VorteX"
|
||||
},
|
||||
{
|
||||
"value": "Archelaus Beta",
|
||||
|
|
@ -1615,7 +1614,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"value": "Rottie3",
|
||||
"value": "Rottie3",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.youtube.com/watch?v=jUg5--68Iqs"
|
||||
|
|
@ -1623,7 +1622,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"value": "Killer RAT",
|
||||
"value": "Killer RAT"
|
||||
},
|
||||
{
|
||||
"value": "Hi-Zor",
|
||||
|
|
@ -1646,7 +1645,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"value": "Heseber",
|
||||
"value": "Heseber"
|
||||
},
|
||||
{
|
||||
"description": "Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. ",
|
||||
|
|
@ -1733,7 +1732,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"description": "ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of \"kgf2016@yonsei.ac.kr,\" the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, "Request Help" and attached malicious HWP filename, "I'm a munchon person in Gangwon-do, North Korea." The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.",
|
||||
"description": "ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of \"kgf2016@yonsei.ac.kr,\" the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, \"Request Help\" and attached malicious HWP filename, \"I'm a munchon person in Gangwon-do, North Korea.\" The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.",
|
||||
"value": "rokrat",
|
||||
"meta": {
|
||||
"refs": [
|
||||
|
|
@ -1845,7 +1844,7 @@
|
|||
}
|
||||
},
|
||||
{
|
||||
"value": "PowerRAT",
|
||||
"value": "PowerRAT"
|
||||
},
|
||||
{
|
||||
"description": "MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.",
|
||||
|
|
|
|||
Loading…
Reference in New Issue