mirror of https://github.com/MISP/misp-galaxy
GitHub
commit
691532a2b4
|
|
@ -128,7 +128,18 @@
|
|||
},
|
||||
"uuid": "e663ac1b-9474-4f9a-b0c8-184861327dd7",
|
||||
"value": "Mori Backdoor"
|
||||
},
|
||||
{
|
||||
"description": "Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks.\nAs is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid.\nThis campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
|
||||
"https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/"
|
||||
]
|
||||
},
|
||||
"uuid": "1523a693-5d90-4da1-86d2-b5d22317820d",
|
||||
"value": "BazarBackdoor"
|
||||
}
|
||||
],
|
||||
"version": 9
|
||||
"version": 10
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13948,7 +13948,59 @@
|
|||
},
|
||||
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
|
||||
"value": "WastedLocker"
|
||||
},
|
||||
{
|
||||
"description": "Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts.\nThrough their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t.\n Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/",
|
||||
"https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/",
|
||||
"https://darksidedxcftmqa.onion.foundation/"
|
||||
]
|
||||
},
|
||||
"uuid": "f514a46e-53ff-4f07-b75a-aed289cf221f",
|
||||
"value": "Darkside"
|
||||
},
|
||||
{
|
||||
"description": "We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.\nAfter the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.\nRansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.",
|
||||
"meta": {
|
||||
"extensions": [
|
||||
"<company_name>",
|
||||
".<abbreviated_company_name>",
|
||||
".<org_name>",
|
||||
".txd0t",
|
||||
".dbe",
|
||||
".0s"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"Greetings, Texas Department of Transportation!\nRead this message CAREFULLY and contact someone from IT department..\nYour files are securely ENCRYPTED.\nNo third party decryption software EXISTS.\nMODIFICATION or RENAMING encrypted files may cause decryption failure.\nYou can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all Files\nFrom all aFFected systems ANY TIME.\nEncrypted File SHOULD NOT contain sensitive inFormation (technical, backups, databases, large documents).\nThe rest oF data will be available aFter the PAYMENT.\ninfrastructure rebuild will cost you MUCH more.\nContact us ONLY if you officially represent the whole affected network.\nThe ONLY attachments we accept are non archived encrypted files For test decryption.\nSpeak ENGLISH when contacting us.\nMail us: ***@protonmail.com\nWe kindly ask you not to use GMAIL, YAHOO or LIVE to contact us.\nThe PRICE depends on how quickly you do it. "
|
||||
],
|
||||
"ransomnotes-filenames": [
|
||||
"TXDOT_READ_ME! .Txt",
|
||||
"<abbreviated_company_name> _READ_ME! .txt"
|
||||
],
|
||||
"ransomnotes-refs": [
|
||||
"https://1.bp.blogspot.com/-hbdqo4g6OaE/XvpFV4qbjrI/AAAAAAAAT1I/RtASzBEd_VEZIhDCCCdaxrN0iGCnnocFwCLcBGAsYHQ/s1600/note-original.png",
|
||||
"https://1.bp.blogspot.com/-A0tAbQoei_Y/X1UxQkema_I/AAAAAAAAVV8/QuJY6v3n6943ZFax3ztDt9FXwkpAKMPPACLcBGAsYHQ/s1600/note2-9-20.png",
|
||||
"https://1.bp.blogspot.com/-RIwIgb6n0n4/X8-l2HIf88I/AAAAAAAAXRI/oyET6d1XSnwJXDIaJlwItyTFLcp4tz5mQCLcBGAsYHQ/s882/note-8-12-20.png"
|
||||
],
|
||||
"refs": [
|
||||
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx",
|
||||
"https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html",
|
||||
"https://github.com/Bleeping/Ransom.exx",
|
||||
"https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/",
|
||||
"https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/",
|
||||
"https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/",
|
||||
"https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Ransom X",
|
||||
"Defray777"
|
||||
]
|
||||
},
|
||||
"uuid": "dff71334-c173-45b6-8647-af66be0605d7",
|
||||
"value": "RansomEXX"
|
||||
}
|
||||
],
|
||||
"version": 88
|
||||
"version": 89
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue