MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

update some clusters

pull/210/head
Deborah Servili 2018-05-09 16:12:02 +02:00
parent d76e2c97a4
commit 5e0bd260d6
3 changed files with 65 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
clusters/ransomware.json
View File

@ -9071,7 +9071,8 @@
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/",
"https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/"
],
"synonyms": [
"Syn Ack"

11
clusters/threat-actor.json
View File

@ -1167,7 +1167,11 @@
"Unit 121",
"Bureau 121",
"NewRomanic Cyber Army Team",
"Bluenoroff"
"Bluenoroff",
"Group 77",
"Labyrinth Chollima",
"Operation Troy",
"Operation GhostSecret"
],
"refs": [
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
@ -1176,7 +1180,8 @@
"http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"https://www.us-cert.gov/ncas/alerts/TA17-318A",
"https://www.us-cert.gov/ncas/alerts/TA17-318B"
"https://www.us-cert.gov/ncas/alerts/TA17-318B",
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
]
},
"value": "Lazarus Group",
@ -2689,5 +2694,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 39
"version": 40
}

58
clusters/tool.json
View File

@ -11,7 +11,7 @@
],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 68,
"version": 69,
"values": [
{
"meta": {
@ -1541,7 +1541,8 @@
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Necurs_botnet"
"https://en.wikipedia.org/wiki/Necurs_botnet",
"https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
]
},
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
@ -3467,7 +3468,8 @@
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/",
"https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground"
"https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground",
"https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-finds-a-new-way-to-avoid-detection-for-now/"
]
},
"uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d"
@ -4172,6 +4174,56 @@
]
},
"uuid": "d83ec444-535c-11e8-ae83-831d0a85d77a"
},
{
"value": "Huigezi malware",
"description": "backdoor trojan popular found prevalently in China",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/gaming/chinese-police-arrest-15-people-who-hid-malware-inside-pubg-cheat-apps/"
]
},
"uuid": "6aef5a32-5381-11e8-ac5a-bb46d8986552"
},
{
"value": "FacexWorm",
"description": "Facebook, Chrome, and cryptocurrency users should be on the lookout for a new malware strain named FacexWorm that infects victims for the purpose of stealing passwords, stealing cryptocurrency funds, running cryptojacking scripts, and spamming Facebook users. This new strain was spotted in late April by Trend Micro researchers and appears to be related to two other Facebook Messenger spam campaigns, one that took place last August, and another one from December 2017, the latter spreading the Digmine malware. Researchers say FacexWorm's modus operandi is similar to the previous two campaigns, but with the addition of new techniques aimed at cryptocurrency users.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/facexworm-spreads-via-facebook-messenger-malicious-chrome-extension/"
]
},
"uuid": "86ac8c80-5382-11e8-b893-4f1651951472"
},
{
"value": "Bankshot",
"description": "implant used in Operation GhostSecret",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
]
},
"uuid": "d9431c02-5391-11e8-931f-4beceb8bd697"
},
{
"value": "Proxysvc",
"description": "downloader used in Operation GhostSecret",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
]
},
"uuid": "dafba168-5391-11e8-87e4-0f93b75d6ac0"
},
{
"value": "Escad",
"description": "backdoor used in Operation GhostSecret",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/"
]
},
"uuid": "db36cf9a-5391-11e8-b53a-97adedf48055"
}
]
}