From 69c5fc30e5854c2e782d8e67ef927956ea4849cc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Sep 2018 11:07:17 +0200 Subject: [PATCH 1/5] add remcos ref --- clusters/rat.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index f8024508..17f266b5 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -2521,7 +2521,8 @@ "meta": { "date": "2016", "refs": [ - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2" + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" ] }, "uuid": "f647cca0-7416-47e9-8342-94b84dd436cc", @@ -2924,5 +2925,5 @@ "value": "Hallaj PRO RAT" } ], - "version": 15 + "version": 16 } From 2bc8e1e719641e7134d897c0071133586085259f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Sep 2018 11:51:09 +0200 Subject: [PATCH 2/5] add Cobalt Dickensthreat actor --- clusters/threat-actor.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b0006a78..83d8a440 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5859,7 +5859,21 @@ ] }, "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e" + }, + { + "value": "COBALT DICKENS", + "description": "”A threat group associated with the Iranian government. The threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.”", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/", + "https://www.cyberscoop.com/cobalt-dickens-iran-mabna-institiute-dell-secureworks/" + ], + "synonyms": [ + "Cobalt Dickens" + ] + }, + "uuid": "6c79bd1a-bfde-11e8-8c33-db4d9968671a" } ], - "version": 64 + "version": 65 } From 77897be97e720394c48384d6e8953e59d4f6a78b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Sep 2018 12:12:41 +0200 Subject: [PATCH 3/5] add BusyGasper android spyware --- clusters/android.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/android.json b/clusters/android.json index c4b5af0f..135d964e 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4494,7 +4494,17 @@ }, "uuid": "3e19d162-9ee1-11e8-b8d7-d32141691f1f", "value": "Skygofree" + }, + { + "value": "BusyGasper", + "description": "A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/" + ] + }, + "uuid": "1c8e8070-bfe2-11e8-8c3e-7f31c66687a2" } ], - "version": 12 + "version": 13 } From f7e10cb38d91452b545d7d898aaf2fa09c4a4f31 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Sep 2018 14:58:21 +0200 Subject: [PATCH 4/5] add references --- clusters/botnet.json | 5 +++-- clusters/threat-actor.json | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 8033e876..1af4520b 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -580,7 +580,8 @@ "date": "August 2016", "refs": [ "https://en.wikipedia.org/wiki/Mirai_(malware)", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/" + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", + "https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/" ] }, "related": [ @@ -814,5 +815,5 @@ "uuid": "40795af6-b721-11e8-9fcb-570c0b384135" } ], - "version": 10 + "version": 11 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 83d8a440..caeb116b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2592,7 +2592,8 @@ "https://www.cfr.org/interactive/cyber-operations/lazarus-group", "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret", "https://securelist.com/operation-applejeus/87553/", - "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea" + "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea", + "https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/" ], "synonyms": [ "Operation DarkSeoul", @@ -4033,7 +4034,8 @@ "description": "A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.", "meta": { "refs": [ - "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/" + "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", + "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/" ], "synonyms": [ "Cobalt group", From 29beb01dc3ed0067db6ccc33f41456147d38d2d7 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Sep 2018 16:06:36 +0200 Subject: [PATCH 5/5] add relationships on Mirai --- clusters/botnet.json | 79 ++++++++++++++++++++++++++++++++++++++++++-- clusters/tool.json | 14 ++++++++ 2 files changed, 90 insertions(+), 3 deletions(-) diff --git a/clusters/botnet.json b/clusters/botnet.json index 1af4520b..12f09bea 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -591,6 +591,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", @@ -684,15 +698,38 @@ "value": "Mettle" }, { - "description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot.", + "description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED", "meta": { "date": "2018", "refs": [ "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html" ] }, + "related": [ + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], "uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", - "value": "WICKED" + "value": "Owari" }, { "description": "Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.", @@ -813,7 +850,43 @@ ] }, "uuid": "40795af6-b721-11e8-9fcb-570c0b384135" + }, + { + "value": "Sora", + "description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/" + ], + "synonyms": [ + "Mirai Sora" + ] + }, + "related": [ + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56" } ], - "version": 11 + "version": 12 } diff --git a/clusters/tool.json b/clusters/tool.json index 5b5b395f..8e86ba4f 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2387,6 +2387,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",