From 40d5cca20f777630d7e65f8ed2c5da7498acc95d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 7 Sep 2018 16:03:40 +0200 Subject: [PATCH 1/5] clusters --- clusters/ransomware.json | 18 +++++++++++++++++- clusters/threat-actor.json | 12 +++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 93b116a7..84ac3b73 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -10520,7 +10520,23 @@ ] }, "uuid": "5d0c28f6-b050-11e8-95a8-7b8e480b9bd2" + }, + { + "value": "Sigma Ransomware", + "description": "", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" + ], + "ransomnotes": [ + "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_01.jpg", + "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/ransom-note-html-part_02.jpg", + "https://www.bleepstatic.com/images/news/ransomware/s/sigma/craigslist-malspam/payment-portal.jpg", + "ReadMe.txt" + ] + }, + "uuid": "df025902-b29e-11e8-a2ab-739167419c52" } ], - "version": 31 + "version": 32 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f902296f..de562701 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5700,7 +5700,17 @@ ] }, "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c" + }, + { + "value": "PowerPool", + "description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/" + ] + }, + "uuid": "abd89986-b1b0-11e8-b857-efe290264006" } ], - "version": 55 + "version": 56 } From a81bbe288f91298fad0028e0f3c940c41c8d27fa Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 10 Sep 2018 12:27:40 +0200 Subject: [PATCH 2/5] fix some relations --- clusters/ransomware.json | 20 +++++++++++++++++++- clusters/tool.json | 21 ++++++++++++++++++--- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 84ac3b73..fd67db24 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5387,6 +5387,15 @@ "crjoker.html" ] }, + "related": [ + { + "dest-uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "2fb307a2-8752-4521-8973-75b68703030d", "value": "CryptoJoker" }, @@ -10420,7 +10429,16 @@ "https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2018/august/31/ransom-note.jpg" ] }, - "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d" + "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", + "related": [ + { + "dest-uuid": "2fb307a2-8752-4521-8973-75b68703030d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ] }, { "value": "CreamPie Ransomware", diff --git a/clusters/tool.json b/clusters/tool.json index d800258c..661294ca 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2515,13 +2515,19 @@ { "description": "Shifu is a Banking Trojan first discovered in 2015. Shifu is based on the Shiz source code which incorporated techniques used by Zeus. Attackers use Shifu to steal credentials for online banking websites around the world, starting in Russia but later including the UK, Italy, and others.", "meta": { - "derivated_from": [ - "Shiz" - ], "refs": [ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/" ] }, + "related": [ + { + "dest-uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "67d712c8-d254-4820-83fa-9a892b87923b", "value": "Shifu" }, @@ -2532,6 +2538,15 @@ "https://securityintelligence.com/tag/shiz-trojan-malware/" ] }, + "related": [ + { + "dest-uuid": "67d712c8-d254-4820-83fa-9a892b87923b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", "value": "Shiz" }, From 170b752597cda90b8211aaa1ccf0efa9db7eb044 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 10 Sep 2018 12:30:08 +0200 Subject: [PATCH 3/5] fix schema --- schema_clusters.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/schema_clusters.json b/schema_clusters.json index 914d0655..1968d6ba 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -107,13 +107,6 @@ "type": "string" } }, - "derivated_from": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, "status": { "type": "string" }, From c92dc15937bdabbfa100139180f18d3b1fda04e6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 10 Sep 2018 14:13:09 +0200 Subject: [PATCH 4/5] add Operation AppleJeus --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de562701..44a0ad52 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2597,7 +2597,8 @@ "Group 77", "Labyrinth Chollima", "Operation Troy", - "Operation GhostSecret" + "Operation GhostSecret", + "Operation AppleJeus" ] }, "related": [ From cb5fa5e822291453acfea9f40da74b343b652ab4 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 10 Sep 2018 14:21:14 +0200 Subject: [PATCH 5/5] fix version --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 661294ca..151688bd 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -5733,5 +5733,5 @@ "uuid": "69ed8a69-8b33-4195-9b21-a1f4cd76acde" } ], - "version": 85 + "version": 86 }