From 510347c730d2a9cece326789fdf4925750191288 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 21 Mar 2018 08:29:41 +0100 Subject: [PATCH] add gamut botnet --- clusters/tool.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index ee6d68a..6cb8b68 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10,7 +10,7 @@ ], "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", - "version": 56, + "version": 57, "values": [ { "meta": { @@ -3854,6 +3854,17 @@ ] }, "uuid": "73cb7ecc-25e3-11e8-a97b-c35ec4e7dcf8" + }, + { + "value": "Gamut Botnet", + "description": "Gamut was found to be downloaded by a Trojan Downloader that arrives as an attachment from a spam email message. The bot installation is quite simple. After the malware binary has been downloaded, it launches itself from its current directory, usually the Windows %Temp% folder and installs itself as a Windows service.\nThe malware utilizes an anti-VM (virtual machine) trick and terminates itself if it detects that it is running in a virtual machine environment. The bot uses INT 03h trap sporadically in its code, an anti-debugging technique which prevents its code from running within a debugger environment. It can also determine if it is being debugged by using the Kernel32 API - IsDebuggerPresent function.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/necurs-and-gamut-botnets-account-for-97-percent-of-the-internets-spam-emails/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Gamut-Spambot-Analysis/" + ] + }, + "uuid": "492879ac-285b-11e8-a06e-33f548e66e42" } ] }