MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Add android and banker galaxies

pull/104/head
Raphaël Vinot 2017-10-26 18:45:05 -04:00
parent 72dbbb28fa
commit 6d0952e4ed
4 changed files with 4164 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3748
clusters/android.json Normal file
View File

File diff suppressed because it is too large Load Diff

400
clusters/banker.json Normal file
View File

@ -0,0 +1,400 @@
{
"values": [
{
"meta": {
"refs": [
"https://usa.kaspersky.com/resource-center/threats/zeus-virus"
],
"synonyms": [
"Zbot"
],
"date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today."
},
"description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.",
"value": "Zeus"
},
{
"meta": {
"refs": [
"https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/",
"https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving",
"https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows",
"https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf"
],
"synonyms": [
"Neverquest"
],
"date": "Discovered early 2013"
},
"description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.",
"value": "Vawtrak"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/detections/trojan-dridex/",
"https://feodotracker.abuse.ch/"
],
"synonyms": [
"Bugat",
"Cridex",
"Feodo Version D"
],
"date": "Discovery in 2014, still active"
},
"description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.",
"value": "Dridex"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/research/gozi",
"https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007",
"https://lokalhost.pl/gozi_tree.txt"
],
"synonyms": [
"Ursnif",
"CRM",
"Snifula",
"Papras"
],
"date": "First seen ~ 2007"
},
"description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010",
"value": "Gozi"
},
{
"meta": {
"refs": [
"https://krebsonsecurity.com/tag/gozi-prinimalka/",
"https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/",
"https://lokalhost.pl/gozi_tree.txt"
],
"synonyms": [
"Prinimalka"
],
"date": "Fall Oct. 2012 - Spring 2013"
},
"description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.",
"value": "Goziv2"
},
{
"meta": {
"refs": [
"https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature",
"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
"https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Beginning 2010"
},
"description": "Banking trojan based on Gozi source. Features include web injects for the victims browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Since 2014"
},
"description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.",
"value": "Dreambot"
},
{
"meta": {
"refs": [
"https://lokalhost.pl/gozi_tree.txt",
"http://archive.is/I7hi8#selection-217.0-217.6"
],
"date": "Seen Autumn 2014"
},
"description": "Gozi ISFB variant ",
"value": "IAP"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Spring 2016"
},
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym"
},
{
"meta": {
"refs": [
"https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle",
"https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/"
],
"synonyms": [
"Zeus Terdot"
],
"date": "First seen in Fall 2016 and still active today."
},
"description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ",
"value": "Zloader Zeus"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
"https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/"
],
"synonyms": [
"VM Zeus"
],
"date": "First seen ~Feb 2014"
},
"description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ",
"value": "Zeus VM"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/"
],
"date": "First seen ~Aug 2015"
},
"description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.",
"value": "Zeus Sphinx"
},
{
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market",
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"
],
"synonyms": [
"Zeus Panda"
],
"date": "First seen ~ Spring 2016"
},
"description": " ",
"value": "Panda Banker"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/",
"https://github.com/nyx0/KINS"
],
"synonyms": [
"Kasper Internet Non-Security",
"Maple"
],
"date": "First seen 2014"
},
"description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ",
"value": "Zeus KINS"
},
{
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://securelist.com/chthonic-a-new-modification-of-zeus/68176/"
],
"date": "First seen fall of 2014"
},
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
"value": "Chthonic"
},
{
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"date": "Discovered ~February 2016"
},
"description": "Android banking trojan that tries to steal victims banking credentials and credit card information via phishing pages crafted to mimic Google Plays payment interface as well as the login pages of 7 different banks apps.",
"value": "Xbot"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
"https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
"http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
"https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/"
],
"synonyms": [
"Trickster",
"Trickloader"
],
"date": "Discovered Fall 2016"
},
"description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan",
"value": "Trickbot"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/research/dyre-banking-trojan",
"https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/"
],
"synonyms": [
"Dyreza"
],
"date": "Discovered ~June 2014"
},
"description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.",
"value": "Dyre"
},
{
"meta": {
"refs": [
"https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/",
"http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/",
"https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/",
"http://my.infotex.com/tiny-banker-trojan/"
],
"synonyms": [
"Zusy",
"TinyBanker",
"illi"
],
"date": "Discovered ~Spring 2012"
},
"description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.",
"value": "Tinba"
},
{
"meta": {
"refs": [
"https://feodotracker.abuse.ch/",
"https://www.cert.pl/en/news/single/analysis-of-emotet-v4/"
],
"synonyms": [
"Emotet v4",
"Feodo Version E"
],
"date": "Discovered in March 2017."
},
"description": "Heodo is a successor of Geodo / Emotet (Version C or v3). It is a botnet capable of downloading modules including a banker module that uses MiTB techniques to steal banking information from victims. It is primarily delivered via malicious email (malspam) campaigns. ",
"value": "Heodo"
},
{
"meta": {
"refs": [
"https://feodotracker.abuse.ch/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/"
],
"synonyms": [
"Feodo Version B",
"Emotet"
],
"date": "Discovered ~Summer 2014"
},
"description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.",
"value": "Geodo"
},
{
"meta": {
"refs": [
"https://securelist.com/dridex-a-history-of-evolution/78531/",
"https://feodotracker.abuse.ch/",
"http://stopmalvertising.com/rootkits/analysis-of-cridex.html"
],
"synonyms": [
"Bugat",
"Cridex"
],
"date": "Discovered ~September 2011"
},
"description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. It is delivered primarily via exploit kits and malspam emails.",
"value": "Feodo"
},
{
"meta": {
"refs": [
"https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/"
],
"synonyms": [
"Nimnul"
],
"date": "Discovered ~2010."
},
"description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.",
"value": "Ramnit"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
"https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/",
"https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf"
],
"synonyms": [
"Qbot ",
"Pinkslipbot"
],
"date": "Discovered ~2007"
},
"description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.",
"value": "Qakbot"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf",
"https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/"
],
"date": "Discovered ~Fall 2015"
},
"description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.",
"value": "Corebot"
},
{
"meta": {
"refs": [
"https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/",
"https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/",
"https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596",
"https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html"
],
"synonyms": [
"NukeBot",
"Nuclear Bot",
"MicroBankingTrojan",
"Xbot"
],
"date": "Discovered ~December 2016"
},
"description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.",
"value": "TinyNuke"
},
{
"meta": {
"refs": [
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
"https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/",
"https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/",
"https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/",
"http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/"
],
"synonyms": [
"Tsukaba",
"Werdlod"
],
"date": "Discovered in 2014"
},
"description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ",
"value": "Retefe"
}
],
"version": 1,
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "Banking malware galaxy from CCIRC.",
"authors": [
"GeekWeek"
],
"source": "GeekWeek",
"type": "banker",
"name": "Banker"
}

8
galaxies/android.json Normal file
View File

@ -0,0 +1,8 @@
{
"description": "Android malware galaxy based on multiple open sources.",
"type": "android",
"version": 1,
"name": "Android",
"icon": "",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa"
}

8
galaxies/banker.json Normal file
View File

@ -0,0 +1,8 @@
{
"description": "Banking malware galaxy from CCIRC.",
"type": "banker",
"version": 1,
"name": "Banker",
"icon": "",
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832"
}