MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #267 from Delta-Sierra/master 

New clusters
pull/268/head
Alexandre Dulaunoy 2018-09-24 21:01:58 +02:00 committed by GitHub
parent 7ac4758f16 29beb01dc3
commit 6d58e288b6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 125 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
clusters/android.json
View File

@ -4494,7 +4494,17 @@
},
"uuid": "3e19d162-9ee1-11e8-b8d7-d32141691f1f",
"value": "Skygofree"
},
{
"value": "BusyGasper",
"description": "A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/"
]
},
"uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2"
}
],
"version": 12
"version": 13
}

82
clusters/botnet.json
View File

@ -580,7 +580,8 @@
"date": "August 2016",
"refs": [
"https://en.wikipedia.org/wiki/Mirai_(malware)",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/"
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
"https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/"
]
},
"related": [
@ -590,6 +591,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
@ -683,15 +698,38 @@
"value": "Mettle"
},
{
"description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot.",
"description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED",
"meta": {
"date": "2018",
"refs": [
"https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"value": "WICKED"
"value": "Owari"
},
{
"description": "Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.",
@ -812,7 +850,43 @@
]
},
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135"
},
{
"value": "Sora",
"description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/"
],
"synonyms": [
"Mirai Sora"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56"
}
],
"version": 10
"version": 12
}

5
clusters/rat.json
View File

@ -2521,7 +2521,8 @@
"meta": {
"date": "2016",
"refs": [
"https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2"
"https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2",
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html"
]
},
"uuid": "f647cca0-7416-47e9-8342-94b84dd436cc",
@ -2924,5 +2925,5 @@
"value": "Hallaj PRO RAT"
}
],
"version": 15
"version": 16
}

22
clusters/threat-actor.json
View File

@ -2592,7 +2592,8 @@
"https://www.cfr.org/interactive/cyber-operations/lazarus-group",
"https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret",
"https://securelist.com/operation-applejeus/87553/",
"https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea"
"https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea",
"https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/"
],
"synonyms": [
"Operation DarkSeoul",
@ -4033,7 +4034,8 @@
"description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.",
"meta": {
"refs": [
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/"
"https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/",
"https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/"
],
"synonyms": [
"Cobalt group",
@ -5859,7 +5861,21 @@
]
},
"uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e"
},
{
"value": "COBALT DICKENS",
"description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/",
"https://www.cyberscoop.com/cobalt-dickens-iran-mabna-institiute-dell-secureworks/"
],
"synonyms": [
"Cobalt Dickens"
]
},
"uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a"
}
],
"version": 64
"version": 65
}

14
clusters/tool.json
View File

@ -2387,6 +2387,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",