From 32b0e6f95d68f9289386e08b3ffd51350d7e3a33 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 4 May 2017 11:48:49 +0100 Subject: [PATCH 1/6] Update tds.json --- clusters/tds.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/clusters/tds.json b/clusters/tds.json index 6a06fbba..83fb67f2 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -11,6 +11,14 @@ "Commercial" ] } + }, { + "value": "ShadowTDS", + "description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS", + "meta": { + "type": [ + "Underground" + ] + } }, { "value": "Sutra", From 6d90c3e691fb1b47292900757541ee883b011951 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 11 May 2017 11:30:50 +0100 Subject: [PATCH 2/6] +Bingo -- Hunter > Retired --- clusters/exploit-kit.json | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index d6986f7e..9de846d1 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -13,7 +13,13 @@ ], "status": "Active" } - } + }, + { + "value": "Bingo", + "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", + "meta": { + "status": "Active" + } , { "value": "Terror EK", "description": "Terror EK is built on Hunter, Sundown and RIG EK code", @@ -58,18 +64,7 @@ } } , - { "value": "Hunter", - "description": "Hunter EK is an evolution of 3Ros EK", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" - ], - "synonyms": [ - "3ROS Exploit Kit" - ], - "status": "Active" - } - }, + { "value": "Kaixin", "description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia", @@ -172,6 +167,17 @@ ], "status": "Retired" } + }, { "value": "Hunter", + "description": "Hunter EK is an evolution of 3Ros EK", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers" + ], + "synonyms": [ + "3ROS Exploit Kit" + ], + "status": "Retired - Last seen 2017-02-06" + } }, { "value": "GreenFlash Sundown", From 2182a790a3453c8b6523fdf8945346bc2acab25b Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 11 May 2017 11:31:22 +0100 Subject: [PATCH 3/6] Fix --- clusters/exploit-kit.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 9de846d1..8f66b6c6 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -20,6 +20,7 @@ "meta": { "status": "Active" } + } , { "value": "Terror EK", "description": "Terror EK is built on Hunter, Sundown and RIG EK code", From a39dde6dba93b75cedb4f9a9f02077d74a7d57e4 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Thu, 13 Jul 2017 09:33:23 +0100 Subject: [PATCH 4/6] Update exploit-kit.json --- clusters/exploit-kit.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 8f66b6c6..6b4b9805 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -154,6 +154,16 @@ ], "status": "Active" } + }, + { + "value": "Sundown-P", + "description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017", + "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/[LinkSoon]" + ], + "status": "Active" + } }, { "value": "Bizarro Sundown", From bde18d917f8b278c90a8ec2895c8a1369729ef17 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Tue, 15 Aug 2017 20:53:41 +0200 Subject: [PATCH 5/6] +disdain+captainblack-Neutrino --- clusters/exploit-kit.json | 49 ++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 6b4b9805..363eaf87 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -64,6 +64,13 @@ "status": "Active" } } +,{ + "value": "Disdain", + "description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula", + "meta": { + "status": "Active" + } + } , { @@ -108,23 +115,6 @@ "status": "Active" } } -, - { "value": "Neutrino", - "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", - "meta": { - "refs": [ - "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", - "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" - ], - "synonyms": [ - "Job314", - "Neutrino Rebooted", - "Neutrino-v" - ] - , - "status": "Active" - } - } , { "value": "RIG", "description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.", @@ -157,10 +147,14 @@ }, { "value": "Sundown-P", - "description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017", + "description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017", "meta": { "refs": [ - "http://blog.trendmicro.com/trendlabs-security-intelligence/[LinkSoon]" + "http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/" + ], + "synonyms": [ + "Sundown-Pirate", + "CaptainBlack" ], "status": "Active" } @@ -411,6 +405,23 @@ } } , + { "value": "Neutrino", + "description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html", + "http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html" + ], + "synonyms": [ + "Job314", + "Neutrino Rebooted", + "Neutrino-v" + ] + , + "status": "Retired - Last seen 2017-04-10" + } + } +, { "value": "Niteris", "description": "Niteris was used mainly to target Russian.", From ee3e2b3a14bc33b46055752135063f49b0ecd175 Mon Sep 17 00:00:00 2001 From: Kafeine Date: Tue, 29 Aug 2017 10:36:38 +0100 Subject: [PATCH 6/6] +WhiteHole +ref for Disdain --- clusters/exploit-kit.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 363eaf87..c17e92d8 100755 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -68,6 +68,9 @@ "value": "Disdain", "description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula", "meta": { + "refs": [ + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" + ], "status": "Active" } } @@ -548,6 +551,16 @@ "status": "Retired - Last seen: 2014-06" } }, + { + "value": "WhiteHole", + "description": "WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422", + "meta": { + "refs": [ + "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" + ], + "status": "Retired - Last seen: 2013-12" + } + }, { "value": "Unknown", "description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",