Merge https://github.com/MISP/misp-galaxy

2017-02-09 08:48:40 +01:00 · 2017-02-09 08:48:40 +01:00 · 50a3576cf3
parent 8817d4869d f3f5b3b3ac
commit 50a3576cf3
2 changed files with 35 additions and 15 deletions
--- a/clusters/exploit-kit.json
+++ b/clusters/exploit-kit.json
@ -10,7 +10,7 @@
       "synonyms": [
          "Stegano EK"
        ],
-		"status": "Active"
+		"status": "Unknown - Last Seen 2016-12-07"
       }
    }
 ,
@ -52,7 +52,7 @@
          "RIG-E"
        ]
 	   ,
-		"status": "Active"
+		"status": "Unknown - Last seen: 2016-12-29"
       }
    }
 ,
@ -140,7 +140,8 @@
       "synonyms": [
          "RIG 3",
 		  "RIG-v",
-		  "RIG 4"
+		  "RIG 4",
+		  "Meadgive"
        ],
 		"status": "Active"
       }
@ -211,7 +212,8 @@
        ],
       "synonyms": [
          "XXX",
-          "AEK"
+          "AEK",
+          "Axpergle"
        ],
 		"status": "Retired - Last seen: 2016-06-07"
       }
@ -281,7 +283,8 @@
          "http://www.kahusecurity.com/2011/neosploit-is-back/"
        ],
       "synonyms": [
-          "NeoSploit"
+          "NeoSploit",
+          "Fiexp"
        ]
 		,
 		"status": "Retired - Last Seen: beginning of 2015-07"
@ -409,7 +412,8 @@
       "synonyms": [
          "NEK",
          "Nuclear Pack",
-		  "Spartan"
+		  "Spartan",
+		  "Neclu"
        ]		,
 		"status": "Retired - Last seen: 2015-04-30"
       }
@ -472,7 +476,8 @@
          "http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
        ],
       "synonyms": [
-          "SWO"
+          "SWO",
+          "Anogre"
        ],
 		"status": "Retired - Last seen: 2015-04-05"
       }
@ -501,7 +506,7 @@
       }
    }
 ],
-  "version": 2,
+  "version": 3,
  "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
  "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
  "authors": [
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -1274,9 +1274,24 @@
       "meta": {
         "refs": ["http://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/"]
       }
+    },
+    {
+       "value": "Flokibot",
+       "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.",
+       "meta": {
+        "refs": ["https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/"],
+        "synonyms": ["Floki Bot"]
+       }
+    },
+    {
+       "value": "ZeroT",
+       "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.",
+       "meta": {
+        "refs": ["https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"]
+       }
    }
  ],
-  "version": 16,
+  "version": 18,
  "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
  "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
  "author": [