MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add script to automate malpedia update

pull/728/head
marjatech 2022-07-04 14:24:34 +02:00
parent 1212a75cc4
commit 587dc8560b
3 changed files with 119 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
clusters/malpedia.json
View File

@ -213,6 +213,7 @@
"https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html"
],
"synonyms": [
"ReBot",
"TeaBot",
"Toddler"
],
@ -3207,6 +3208,7 @@
"https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/",
"https://twitter.com/sisoma2/status/1473243875158499330",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
"https://killingthebear.jorgetesta.tech/actors/alphv",
"https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/",
"https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/",
"https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/",
@ -6931,6 +6933,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.menlosecurity.com/blog/increase-in-attack-socgholish",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
@ -10368,6 +10371,7 @@
"https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/",
"https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/",
"https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89",
"https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter",
"https://habr.com/ru/company/group-ib/blog/477198/",
"https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware",
"https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/",
@ -12335,6 +12339,7 @@
"https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf",
"https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
"https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/",
"https://securelist.com/ransomware-world-in-2021/102169/",
"https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html",
@ -13561,6 +13566,7 @@
"https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf",
"https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html",
"https://killingthebear.jorgetesta.tech/actors/alphv",
"https://github.com/f0wl/blackCatConf",
"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/",
"https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
@ -13958,6 +13964,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blister",
"https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt",
"https://redcanary.com/blog/intelligence-insights-january-2022/",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
@ -15202,6 +15209,7 @@
"https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html",
"https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html",
"https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
"https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
"https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/",
"https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/",
"https://www.praetorian.com/blog/reproducing-proxylogon-exploit/",
@ -19139,6 +19147,7 @@
"https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/",
"https://techcrunch.com/2020/03/01/visser-breach/",
"https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/",
"https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/",
"https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf",
@ -19408,7 +19417,7 @@
"https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/",
"https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much",
"https://unit42.paloaltonetworks.com/travel-themed-phishing/",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
"https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
"https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/",
"https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/",
@ -19419,7 +19428,7 @@
"https://assets.virustotal.com/reports/2021trends.pdf",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf",
"https://twitter.com/Cryptolaemus1/status/1407135648528711680",
"https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf",
"https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps",
"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
@ -19464,6 +19473,7 @@
"https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/",
"https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office",
"https://threatresearch.ext.hp.com/detecting-ta551-domains/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf",
"https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
"https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf",
@ -20404,6 +20414,7 @@
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/",
"https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728"
],
@ -21723,7 +21734,7 @@
"https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/",
"http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html",
"https://link.medium.com/uaBiIXgUU8",
"https://usualsuspect.re/article/formbook-hiding-in-plain-sight",
"https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/",
"https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer",
"https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors",
"https://www.lac.co.jp/lacwatch/report/20220307_002893.html",
@ -21740,6 +21751,7 @@
"https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/",
"https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/",
"https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails",
"https://usualsuspect.re/article/formbook-hiding-in-plain-sight",
"https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
"https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/",
"https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/",
@ -21858,12 +21870,13 @@
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/",
"https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf",
"https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/",
"https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware",
"https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
"https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/",
"https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/",
"https://www.secureworks.com/research/threat-profiles/gold-drake",
"https://www.youtube.com/watch?v=LUxOcpIRxmg",
@ -23474,6 +23487,7 @@
"https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/",
"https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
"https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox",
"https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions",
@ -24017,6 +24031,19 @@
"uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3",
"value": "HesperBot"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka",
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
],
"synonyms": [],
"type": []
},
"uuid": "5833d95c-4131-4cd3-8600-fc40bb834fe3",
"value": "heyoka"
},
{
"description": "",
"meta": {
@ -24471,6 +24498,7 @@
"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/",
"https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
"https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
"https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/",
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair",
"https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
@ -25990,6 +26018,19 @@
"uuid": "7d69892e-d582-4545-8798-4a9a84a821ea",
"value": "Kelihos"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.keona",
"https://twitter.com/3xp0rtblog/status/1536704209760010241"
],
"synonyms": [],
"type": []
},
"uuid": "b74ad48b-ac26-4748-adac-b824defbe315",
"value": "Keona"
},
{
"description": "",
"meta": {
@ -27906,6 +27947,7 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
],
@ -27968,6 +28010,7 @@
"https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber",
"https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/",
"https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/",
"https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/",
"https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372",
"https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/",
"https://asec.ahnlab.com/en/30645/",
@ -29762,6 +29805,19 @@
"uuid": "c57a4168-cd09-4611-a665-bbcede80f42b",
"value": "Monero Miner"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall",
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
],
"synonyms": [],
"type": []
},
"uuid": "e0627961-fc28-4b7d-bb44-f937defa052a",
"value": "mongall"
},
{
"description": "",
"meta": {
@ -32181,6 +32237,19 @@
"uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030",
"value": "Pay2Key"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin",
"https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/"
],
"synonyms": [],
"type": []
},
"uuid": "313c81ab-fba2-4577-8de6-863515a65c45",
"value": "PayloadBIN"
},
{
"description": "PcShare is a open-source backdoor which has been seen modified and used by Chinese threat actors, mainly attacking countries in South East Asia.",
"meta": {
@ -32400,8 +32469,9 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp",
"https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
],
@ -41751,7 +41821,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek",
"https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become"
"https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become",
"https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/"
],
"synonyms": [],
"type": []
@ -42078,7 +42149,7 @@
"synonyms": [],
"type": []
},
"uuid": "7f93a8c3-edc7-4c91-a8e5-cc2cbe08880b",
"uuid": "33c661b3-b9e7-49a7-a82b-4b5977e79cae",
"value": "win.unidentified_059"
},
{
@ -43164,7 +43235,8 @@
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader",
"https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf"
"https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf",
"https://killingthebear.jorgetesta.tech/actors/evil-corp"
],
"synonyms": [],
"type": []
@ -43190,6 +43262,7 @@
"https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf",
"https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html",
"https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself",
"https://killingthebear.jorgetesta.tech/actors/evil-corp",
"https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/",
"https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf",
"https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
@ -44519,6 +44592,19 @@
"uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200",
"value": "yty"
},
{
"description": "W32/Yunsip!tr.pws is classified as a password stealing trojan.\r\nPassword Stealing Trojan searches the infected system for passwords and send them to the hacker.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.yunsip",
"https://www.fortiguard.com/encyclopedia/virus/3229143"
],
"synonyms": [],
"type": []
},
"uuid": "1f8755ac-3dcc-43bd-a07f-cf0fbf2cdb7d",
"value": "Yunsip"
},
{
"description": "Ransomware.",
"meta": {
@ -45174,5 +45260,5 @@
"value": "Zyklon"
}
],
"version": 14927
"version": 14973
}

17
tools/del_duplicate_refs.py Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tool to remove duplicates in cluster references
"""
import sys
import json
with open(sys.argv[1], 'r') as f:
data = json.load(f)
for c in data['values']:
c['meta']['refs'] = list(dict.fromkeys(c['meta']['refs']))
with open(sys.argv[1], 'w') as f:
json.dump(data, f)

6
tools/fetch_malpedia.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
cd "${0%/*}"
wget -O malpedia.json https://malpedia.caad.fkie.fraunhofer.de/api/get/misp
mv malpedia.json ../clusters/malpedia.json
./del_duplicate_refs.py ../clusters/malpedia.json
(cd ..; ./jq_all_the_things.sh)