MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Update several RAT & Ransomwares

pull/801/head
Delta-Sierra 2022-11-28 16:13:38 +01:00
parent 5c979ae554
commit 6c36295318
4 changed files with 71 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
clusters/ransomware.json
View File

@ -24663,7 +24663,8 @@
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive",
"https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/",
"https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf",
"https://www.varonis.com/blog/hive-ransomware-analysis"
"https://www.varonis.com/blog/hive-ransomware-analysis",
"https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/"
]
},
"uuid": "8ce915d3-8c6d-4841-b509-18379d7a8999",
@ -24773,7 +24774,36 @@
"value": "BlackBasta"
},
{
"description": "Ransomware",
"description": "BlackByte is recently discovered Ransomware with a .NET DLL core payload wrapped in JavaScript. It employs heavy obfuscation both in its JavaScript wrapper and .NET DLL core.\n\nOnce the JavaScript wrapper is executed, the malware will de-obfuscate the core payload and execute it in memory. The core .DLL is loaded and BlackByte will check the installed operating system language and terminate if an eastern European language is found.\n\nIt will proceed to check for the presence of several anti-virus and sandbox-related .DLLs, attempt to bypass AMSI, delete system shadow-copies in order to hinder system recovery, and modify several other system services (including Windows Firewall) in order to “prep” the system for encryption. Once the system is “ready” for encryption, it will download a symmetric key-file which will be used to encrypt files on the system. If this file is not found, the malware will terminate.\n\nUnlike most Ransomware today, BlackByte uses a single symmetric encryption key, and does not generate a unique encryption key for each victim system, meaning the same key can be used to decrypt all files encrypted by the malware.\n\nThis makes for substantially easier key-management for the actors behind BlackByte at the cost of a weaker encryption scheme and easier victim system recovery (as there is only a single online point with a single key to maintain).\n\nAs with most Ransomware today, BlackByte has worming capabilities and can infect additional endpoints on the same network.",
"meta": {
"ransomnotes": [
"BLACKBYTE \n\nAll your files have been encrypted, your confidential data has been stolen, in order to decrypt files and avoid leakage, you must follow our steps.\n\n1) Download and install TOR browser from this site: https://torproject.org/ \n\n2) Paste the URL in TOR browser and you will be redirected to our chat with all information that you need. \n\n3) If you won't contact with us within 4 days, your access to our chat will be removed and you wont be able to restore your system. \n\nYour URL: [LINK]\n\nYour Key: [KEY]",
"BLACKBYTE\n\nAll your files have been encrypted, your confidential data has been stolen, \nin order to decrypt files and avoid leakage, you must follow our steps.\n\n\n\n1) Download and install TOR Browser from this site: https://torproject.org/\n\n2) Paste the URL in TOR Browser and you will be redirected to our chat with all information that you need.\n\n3) If you do not contact us within 3 days, your chat access key won't be valid.\nAlso, your company will be posted on our blog, darknet and hacker forums,\nwhich will attract unnecessary attention from Journalists and not only them.\nYou are given 3 days to think over the situation, and take reasonable actions on your part.\n\n\nWarning! Connurtcation with us occurs only through this link, or through our mail on our blog.\nWe also strongly DO NOT recommend using third-party tools to decrypt files,\nas this will simply kill them completely without the possibility of recovery.\nI repeat, in this case, no one can help you!\n\n\n\nYour URL: [LINK]\n\nYour Key to access the chat: [PASSW]\n\nFind our blog here (TOR Browser): http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion/"
],
"ransomnotes-refs": [
"https://lh5.googleusercontent.com/sw0iG6WGVHRRM7NQsTjmt1ut60TH-_VPe1Fo57XuYeBOMw9PrvI4lCqyCPueiEXvbAZ-ks3KHXmnS81JvGYaMf31tSL1Eejx-BZ973EctAqjb-u3R6k-9UC0GqhkLQxgMC6lqtp7",
"https://lh5.googleusercontent.com/sw0iG6WGVHRRM7NQsTjmt1ut60TH-_VPe1Fo57XuYeBOMw9PrvI4lCqyCPueiEXvbAZ-ks3KHXmnS81JvGYaMf31tSL1Eejx-BZ973EctAqjb-u3R6k-9UC0GqhkLQxgMC6lqtp7"
],
"refs": [
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape",
"https://redcanary.com/blog/blackbyte-ransomware/",
"https://www.ic3.gov/Media/News/2022/220211.pdf",
"https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/",
"https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/",
"https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure",
"https://www.trellix.com/en-us/about/newsroom/stories/research/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html",
"https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group",
"https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants",
"https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups",
"https://blog.talosintelligence.com/the-blackbyte-ransomware-group-is/",
"https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
"https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
"https://securelist.com/modern-ransomware-groups-ttps/106824/",
"https://securelist.com/modern-ransomware-groups-ttps/106824/",
"https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/",
"https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/"
]
},
"related": [
{
"dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a",

30
clusters/rat.json
View File

@ -2697,7 +2697,8 @@
"meta": {
"date": "2016",
"refs": [
"https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en"
"https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
],
"synonym": [
"Vengeance Justice Worm",
@ -3363,9 +3364,24 @@
"description": "H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html"
"https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
],
"synonyms": [
"WSHRat",
"Houdini",
"Dunihi"
]
},
"related": [
{
"dest-uuid": "e5f7bb36-c982-4f5a-9b29-ab73d2c5f70e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1b6a067b-50b9-4aa7-a49b-823e94e210fe",
"value": "H-worm"
},
@ -3548,6 +3564,16 @@
],
"uuid": "e79cb167-6639-46a3-9646-b12535aa21b6",
"value": "Ragnatela"
},
{
"description": "STRRAT is a Java-based RAT with a JavaScript wrapper/dropper that was discovered in 2020. Its core payload (a .JAR file) is contained under several layers of obfuscation and encoding inside the JavaScript wrapper/dropper.\n\nSTRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities (remote access, remote command execution), browser and email-client credential harvesting, and a unique ransomware-like functionality if instructed, it will add a “.crimson” extension to files on the device, rendering them inoperable (though they can be easily recovered because their content is not modified).\n\nUnlike many Java-based malware, STRRAT does not require Java to be installed on the infected system in order to operate. When the JavaScript wrapper/dropper is executed, if a suitable Java runtime installation is not found, one will be downloaded and installed in order to assure the contained Java payload can execute.",
"meta": {
"refs": [
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
]
},
"uuid": "b30cb6f4-1e0a-4a97-8d88-ca38f83b4422",
"value": "STRRAT"
}
],
"version": 42

6
clusters/threat-actor.json
View File

@ -2573,7 +2573,8 @@
"https://threatintel.blog/OPBlueRaven-Part1/",
"https://threatintel.blog/OPBlueRaven-Part2/",
"https://www.secureworks.com/research/threat-profiles/gold-niagara",
"https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous"
"https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous",
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
],
"synonyms": [
"CARBON SPIDER",
@ -2582,7 +2583,8 @@
"ATK32",
"G0046",
"G0008",
"Coreid"
"Coreid",
"Carbanak"
]
},
"related": [

7
clusters/tool.json
View File

@ -2649,6 +2649,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1b6a067b-50b9-4aa7-a49b-823e94e210fe",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e5f7bb36-c982-4f5a-9b29-ab73d2c5f70e",