MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Updated botnet.json with new entries

pull/900/head
semelnyk 2023-11-27 22:49:36 +01:00
parent f8d9c86e36
commit 5403d70b69
1 changed files with 609 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

609
clusters/botnet.json
View File

@ -1422,6 +1422,615 @@
],
"uuid": "040f2e89-b8be-4150-9426-c30f75e858a2",
"value": "HinataBot"
},
{
"description": "3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.",
"meta": {
"date": "2018",
"refs": [
"https://en.wikipedia.org/wiki/3ve"
]
},
"uuid": "43db3e92-8c98-11ee-b9d1-0242ac120002",
"value": "3ve"
},
{
"description": "7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 23 login requests per week, the botnet is able to evade most security solutions. ",
"meta": {
"refs": [
"https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
]
},
"uuid": "9b3699d1-00bf-4f37-8e67-c4548b5c829a",
"value": "7777-Botnet"
},
{
"description": "Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.",
"meta": {
"date": "October 2018",
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
]
},
"uuid": "063e95fc-8c98-11ee-b9d1-0242ac120002",
"value": "Amadey"
},
{
"description": "AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Bauts/AndroidBauts.html"
]
},
"uuid": "a9e34144-8c98-11ee-b9d1-0242ac120002",
"value": "AndroidBauts"
},
{
"description": "Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.",
"meta": {
"date": "2011",
"refs": [
"https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda",
"https://en.wikipedia.org/wiki/Andromeda_(trojan)"
],
"synonyms": [
"Gamarue",
"Wauchos"
]
},
"uuid": "520d2484-8c99-11ee-b9d1-0242ac120002",
"value": "Andromeda"
},
{
"description": "ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user's permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "b3fdb226-8c99-11ee-b9d1-0242ac120002",
"value": "ArrkiiSDK"
},
{
"description": "Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.",
"meta": {
"refs": [
"https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure"
]
},
"uuid": "da635b2e-22f3-4374-8fca-67c4bd3cb978",
"value": "Avalanche"
},
{
"description": "Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/bayrob-malware-gang-had-elite-tactics-but-they-still-got-caught-anyway/",
"https://community.broadcom.com/symantecenterprise/viewdocument/bayrob-three-suspects-extradited-t?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments"
]
},
"uuid": "693e1ce8-8c9a-11ee-b9d1-0242ac120002",
"value": "Bayrob"
},
{
"description": "Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep"
]
},
"uuid": "b97f3868-8c9a-11ee-b9d1-0242ac120002",
"value": "Bedep"
},
{
"description": "Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.",
"meta": {
"date": "May 2016",
"refs": [
"https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine"
]
},
"related": [
{
"dest-uuid": "0cac5b2b-a06d-40c1-b192-159148dd0132",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b97f3868-8c9a-11ee-b9d1-0242ac120002",
"value": "Bolek"
},
{
"description": "The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.",
"meta": {
"date": "2012",
"refs": [
"https://en.wikipedia.org/wiki/Carna_botnet"
]
},
"uuid": "152cdb68-8ca3-11ee-b9d1-0242ac120002",
"value": "Carna"
},
{
"description": "Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.",
"meta": {
"date": "2011",
"refs": [
"https://en.wikipedia.org/wiki/Code_Shikara"
]
},
"related": [
{
"dest-uuid": "93e26758-6848-4e53-ae92-a4dc9804c2f2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "8b21d8e6-8ca3-11ee-b9d1-0242ac120002",
"value": "Code Shikara"
},
{
"description": "DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.",
"meta": {
"date": "2023",
"refs": [
"https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389"
]
},
"uuid": "0913ea8c-8ca4-11ee-b9d1-0242ac120002",
"value": "Condi"
},
{
"description": "Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.",
"meta": {
"date": "2016",
"refs": [
"https://news.softpedia.com/news/trojan-found-preinstalled-on-the-firmware-of-some-phillips-s307-android-smartphones-499177.shtml"
]
},
"uuid": "cbad44ed-b4d0-42c9-acfc-ee58ff85da99",
"value": "Cooee"
},
{
"description": "Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.",
"meta": {
"date": "2010",
"refs": [
"https://en.wikipedia.org/wiki/Coreflood"
]
},
"uuid": "4f24b1dd-01a0-43cf-a0bb-eb2d70f727c1",
"value": "Coreflood"
},
{
"description": "In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.",
"meta": {
"date": "2010",
"refs": [
"https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html"
]
},
"uuid": "4ccad4ee-3bff-41ac-8d05-0d5acbaaefbe",
"value": "Crackonosh"
},
{
"description": "FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.",
"meta": {
"date": "2021",
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
],
"synonyms": [
"Cabassous",
"FakeChat"
]
},
"uuid": "4fc7daf0-c88f-4bbd-bf3c-7189ca1fdc69",
"value": "FluBot"
},
{
"description": "FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/FritzFrog"
]
},
"uuid": "fc903c58-145a-4b68-98e6-3f496c5c1a19",
"value": "FritzFrog"
},
{
"description": "Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.",
"meta": {
"refs": [
"https://www.fortiguard.com/encyclopedia/botnet/7630462"
]
},
"uuid": "410685be-999d-472e-8fd9-15366b6031a1",
"value": "Gootkit"
},
{
"description": "The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user's web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University's Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Great_Cannon"
]
},
"uuid": "b56c8516-1f1c-42f6-8b89-37d90f50eb35",
"value": "Great Cannon"
},
{
"description": "The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Hail_Mary_Cloud"
]
},
"uuid": "5ae51675-518d-4e16-b339-2b029f5055e0",
"value": "Hail Mary Cloud"
},
{
"description": "Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/Steckbriefe/Joker/Joker.html"
]
},
"uuid": "879bbd30-4f89-4dcb-a225-ecfed25a552f",
"value": "Joker"
},
{
"description": "KBOT penetrates users computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victims bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.",
"meta": {
"refs": [
"https://securelist.com/kbot-sometimes-they-come-back/96157/",
"https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/"
]
},
"uuid": "0cac5b2b-a06d-40c1-b192-159148dd0132",
"value": "KBOT"
},
{
"description": "Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Linux.Darlloz",
"https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/"
]
},
"uuid": "3bc577c9-2081-4d13-a77d-91497439e634",
"value": "Linux.Darlloz"
},
{
"description": "Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojans creators.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
"https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/"
]
},
"uuid": "3bc577c9-2081-4d13-a77d-91497439e634",
"value": "Marcher"
},
{
"description": "Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
"https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/"
]
},
"uuid": "f69bc11f-871b-49c6-a2d9-66ac6a4a8ea6",
"value": "Matsnu"
},
{
"description": "Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.",
"meta": {
"date": "2015",
"refs": [
"https://en.wikipedia.org/wiki/Methbot"
]
},
"uuid": "24341069-4a99-4da7-b89c-230a788bb9d6",
"value": "Methbot"
},
{
"description": "The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.",
"meta": {
"date": "2011",
"refs": [
"https://en.wikipedia.org/wiki/Metulji_botnet"
]
},
"uuid": "e3727560-aa99-47fb-8639-8bcf9c722168",
"value": "Metulji"
},
{
"description": "The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Mevade_Botnet"
],
"synonyms": [
"Sefnit",
"SBC"
]
},
"uuid": "9531f3c0-edb4-4bc9-9b4a-5b55d482b235",
"value": "Mevade"
},
{
"description": "MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "8b1df851-125e-41dc-b91d-96b7d78825ca",
"value": "MobiDash"
},
{
"description": "Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "ee68d82a-c0c1-472a-a14b-127c4f811161",
"value": "Mutabaha"
},
{
"description": "MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victims OS, it then opens various ports and provides a backdoor to invite even more malware in.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html",
"https://nordvpn.com/blog/mydoom-virus/"
]
},
"uuid": "51f0388c-6984-40ac-9cbc-15c5f8685005",
"value": "MyDoom"
},
{
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet's activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Necurs_botnet"
]
},
"uuid": "92e12541-a834-49e6-857e-d36847551a3c",
"value": "Necurs"
},
{
"description": "The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.",
"meta": {
"date": "2012",
"refs": [
"https://en.wikipedia.org/wiki/Nitol_botnet"
]
},
"uuid": "ff0e33a7-0c68-4c53-bfc2-8d22eca09748",
"value": "Nitol"
},
{
"description": "Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload banker module (responsible for web injects passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).",
"meta": {
"date": "2013",
"refs": [
"https://cert.pl/en/posts/2017/01/nymaim-revisited/"
]
},
"uuid": "629cae99-a671-4162-a080-b971de54d7a1",
"value": "Nymaim"
},
{
"description": "PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.",
"meta": {
"refs": [
"https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot",
"https://www.bitdefender.com/blog/businessinsights/ddos-attacks-increase-28-as-pbot-authors-use-decades-old-php-code/"
],
"synonyms": [
"PythonBot"
]
},
"uuid": "d7047c78-1ace-4e53-93c9-a867996914ef",
"value": "PBot"
},
{
"description": "Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "42fc0e31-60c0-4a7d-8ad8-1121bb65c629",
"value": "Pirrit"
},
{
"description": "Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "76ed7f49-6f18-4e86-a429-7aab82468ef6",
"value": "Pitou"
},
{
"description": "Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining.",
"meta": {
"date": "2020",
"refs": [
"https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/"
]
},
"uuid": "64d360dd-a48f-4b85-98ea-b2b5dcf81898",
"value": "Prometei"
},
{
"description": "PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user's permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "440889c8-4986-4568-8fe4-f560d0d28cd7",
"value": "PrizeRAT"
},
{
"description": "Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "ef861a3e-b81c-43ea-8fad-03633219302f",
"value": "Pushlran"
},
{
"description": "Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "c49b614b-c158-42e4-91e5-c96c7573b510",
"value": "Pykspa"
},
{
"description": "Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
]
},
"uuid": "513ec176-3772-40be-be88-3bcd08382f54",
"value": "Qsnatch"
},
{
"description": "Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Remaiten"
]
},
"uuid": "44460f62-85b9-4a36-99f7-553f58231ae2",
"value": "Remaiten"
},
{
"description": "Retadup is a worm affecting Windows machines primarily throughout Latin America. Its objective is to achieve persistence on its victims computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors behalf. The French law enforcement agency, National Gendarmerie, in 2019 announced the successful takedown of one of the largest wide-spread RETADUP botnet malware and how it remotely disinfected more than 850,000 computers worldwide with the help of researchers.",
"meta": {
"refs": [
"https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/",
"https://thehackernews.com/2019/08/retadup-botnet-malware.html"
]
},
"uuid": "a860f4b7-68e9-4252-8ef5-2bb2ce0bc790",
"value": "Retadup"
},
{
"description": "RootSTV is a trojan and downloader for Android devices, mainly SmartTVs. RootSTV downloads additional malicious programs from a server and executes them without the user's consent. ",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html"
]
},
"uuid": "0170e672-7459-4bb3-8c1f-dc70d6249843",
"value": "RootSTV"
},
{
"description": "Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast. The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers. A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.",
"meta": {
"refs": [
"https://www.theregister.com/2014/11/06/rovnix_trojan_outbreak/"
]
},
"uuid": "3c4b55a6-fff0-4faf-9f7f-19f18d35223f",
"value": "Rovnix"
},
{
"description": "Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Slenfbot"
]
},
"uuid": "03d4ec41-3042-44fa-8de0-127981e21e63",
"value": "Slenfbot"
},
{
"description": "Stacheldraht is malware which performs a distributed denial-of-service (DDoS) attack. Stacheldraht uses a number of different denial-of-service (DoS) attack methods, including Ping flood, UDP flood, TCP SYN flood, and Smurf attack. Further, it can detect and automatically enable source address forgery. Adding encryption, it combines features of Trinoo and of Tribe Flood Network. The software runs on both Linux and Solaris.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Stacheldraht"
]
},
"uuid": "c2052368-e9f1-494c-8f23-a8d8a7cbd97b",
"value": "Stacheldraht"
},
{
"description": "Suppobox is a trojan that intercepts any network traffic connected with a monetary transaction when users buy or sell products online. The malware focuses on auction websites.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
],
"synonyms": [
"Bayrob",
"Nivdort"
]
},
"uuid": "de003ee4-ab51-44fb-891d-133a1efaa7d7",
"value": "Suppobox"
},
{
"description": "Triada is a trojan for Android devices. Triada's primary function is to record text messages. For example, it intercepts in-app purchases via text message and redirects payments made. Triada downloads other malware from a server and runs these programs.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze.html"
],
"synonyms": [
"APK. Triada"
]
},
"uuid": "0f1cc805-dd9c-483d-b6b8-8c1b67861a7d",
"value": "Triada"
},
{
"description": "Trinoo is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Trinoo"
],
"synonyms": [
"trin00"
]
},
"uuid": "99a0484c-c252-4ce8-8e7c-413f58a373b9",
"value": "Trinoo"
},
{
"description": "Zemra is a DDoS Bot which was first discovered in underground forums in May 2012. Zemra is capable of HTTP and SYN Flood flooding and also has a simple Command & Control panel that is protected with 256-bit DES encryption for communicating with its command and control (C&C) server. Zemra also sends information such as Computer name, Language settings, and Windows version. It will send this data to a remote location on a specific date and time. It also opens a backdoor on TCP port 7710 to receive commands from a remote command-and-control server, and it is able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Zemra"
]
},
"uuid": "67d3961e-675f-4e81-bf8b-5b2fa1606d3c",
"value": "Zemra"
},
{
"description": "Ztorg is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords, the silent installation of additional applications without the user's permission, and the collection of data on the mobile phone, such as its location and contacts. Ztorg is a piece of malware that opens a backdoor to an infected device. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.",
"meta": {
"refs": [
"https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Cyber-Sicherheitslage/Methoden-der-Cyber-Kriminalitaet/Botnetze/Steckbriefe-aktueller-Botnetze/steckbriefe-aktueller-botnetze_node.html"
]
},
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg"
}
],
"version": 31